WordPress Plugin Vulnerability Report – Essential Addons for Elementor – Authenticated (Contributor+) Privilege Escalation
Plugin Name:
Essential Addons for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 55,164,924
- Active Installs: 1,000,000
- Last Updated: September 14, 2023
- Patched Versions: 5.8.9
- Affected Versions: <=5.8.8
Vulnerability Details:
- Name: Essential Addons for Elementor <= 5.8.8 - Authenticated (Contributor+) Privilege Escalation
- Type: Missing Authorization
- CVSS Score: 8.8 (high)
- Publicly Published: September 14, 2023
- Description: The plugin is vulnerable to privilege escalation due to a lack of restrictions on adding a registration form and custom registration role to an Elementor created page.
Summary:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.8.8 that enables privilege escalation due to a lack of authorization checks. This vulnerability has been patched in version 5.8.9.
Detailed Overview:
The Essential Addons for Elementor plugin is vulnerable to privilege escalation due to a lack of proper authorization checks. Specifically, the issue arises when an attacker with access to the Elementor page builder can create a new registration form that defaults the user role to "administrator." This allows the attacker to subsequently register as an administrative user. The vulnerability is considered high-risk with a CVSS score of 8.8. The risk is heightened because the plugin has over 1,000,000 active installations.
It's worth noting that this vulnerability is difficult to exploit without publishing capabilities and appears to be a regression, as an identical issue was patched in version 4.6.5.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update to the patched version 5.8.9 as soon as possible to mitigate this risk.
- Check for Signs of Vulnerability: Monitor user role changes and unauthorized admin accounts to identify if your site has been compromised.
- Alternate Plugins: While a patch is available, users might consider other plugins that offer similar functionality as a precaution.
- Stay Updated: Always make sure that your plugins are updated to the latest versions to avoid vulnerabilities.
Conclusion:
The prompt response from the plugin developers in releasing patch version 5.8.9 underscores the importance of timely updates. Users are advised to ensure that they are running version 5.8.9 or later to secure their WordPress installations.
References:
- Wordfence Essential Addons for Elementor Vulnerability Report
- Wordfence Detailed Vulnerability Overview
Detailed Report:
Keeping your WordPress site secure should be a top priority - but it can be easy to let things slip through the cracks. Unfortunately, a serious vulnerability has recently been disclosed in one of the most popular WordPress plugins, Essential Addons for Elementor. In this post, I'll explain the details of this vulnerability, the risks it poses, and what you need to do to protect your site.
The Essential Addons for Elementor plugin powers enhanced page building capabilities for over 1 million WordPress sites. However, versions up to and including 5.8.8 contain a privilege escalation vulnerability stemming from insufficient authorization checks. Specifically, this flaw enables contributors to create powerful admin-level accounts through custom registration forms.
With a high severity CVSS score of 8.8, this is a vulnerability that should not be taken lightly. A successful exploit could lead to a malicious actor gaining complete control over your WordPress site. They could then deface or take down your site, steal sensitive data, or use your site for criminal purposes.
The good news is that the vulnerability has been patched in version 5.8.9. If you have not yet updated, you should do so immediately. You can update the plugin directly from your WordPress dashboard. Go to Plugins > Installed Plugins, find Essential Addons for Elementor, and click "Update now" if an update is available.
This is not the first vulnerability found in the plugin. There have been 7 other disclosed vulnerabilities since April 2021, underscoring the importance of prompt updating.
As a small business owner with limited time, I know how hard it can be to stay on top of security issues like this. But given the broad use of this plugin and high risks associated with the vulnerability, taking a few minutes to update is critical. Make a habit of regularly checking your installed plugins and themes for pending updates. It is the simplest way to keep threats at bay.
Staying vigilant about WordPress security is non-negotiable for any website owner. I hope this summary of the recent Essential Addons vulnerability and advice has been helpful. Reach out if you need any assistance getting your site updated.
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.