Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited.

Muhammad outlined the vulnerability in a security advisory published today:

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. 

The plugin’s authors published the patch today, on May 11, with the following note in the changelog:

5.7.2 – 11/05/2023
Improved: EA Login/Register Form for Security Enhancement
Few minor bug fixes & improvements

The vulnerability affects sites using versions 5.4.0 to 5.7.1 of Essential Addons for Elementor. Users are advised to update to the latest version 5.7.2 immediately now that Patchstack has published the proof of concept for exploiting it.