Critical Privilege Escalation in Essential Addons for Elementor

Published 11 May 2023
Updated 11 December 2023
Rafie Muhammad
Security Researcher at Patchstack
Table of Contents

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re an Essential Addons for Elementor user, please update the plugin to at least version 5.7.2.

Patchstack paid plan users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

About the Essential Addons for Elementor WordPress plugin

The plugin Essential Addons for Elementor (versions >= 5.4.0 and <= 5.7.1, free version), which has over 1 million active installations, is known as the most popular Elementor addons plugins in WordPress.

Essential Addons for Elementor plugin vulnerability

This WordPress plugin enhances the Elementor page-building experience with 90+ creative elements and extensions. This plugin adds powers to our page builder using the easy-to-use elements that were designed to make our next WordPress page and post design easier and prettier than ever before.

The security vulnerability in Essential Addons for Elementor

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account.

This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.

Find out more from the Patchstack database

The start of discovering this vulnerability came from observing the init hook located in the register_hooks function:

// Login | Register
add_action('init', [$this, 'login_or_register_user']);

Let’s see the login_or_register_user function that will be triggered:

public function login_or_register_user() {
    do_action( 'eael/login-register/before-processing-login-register', $_POST );
    // login or register form?
    if ( isset( $_POST['eael-login-submit'] ) ) {
        $this->log_user_in();
    } else if ( isset( $_POST['eael-register-submit'] ) ) {
        $this->register_user();
    } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {
        $this->send_password_reset();
    } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {
        $this->reset_password();
    }
    do_action( 'eael/login-register/after-processing-login-register', $_POST );

}

The function will perform a couple of checks if certain $_POST parameters are set and will call the corresponding function. The underlying vulnerability is located in the reset_password function. Based on the official commit, the affected function only exists starting from version 5.4.0.

public function reset_password() {
    $ajax   = wp_doing_ajax();
    $page_id = 0;
    if ( ! empty( $_POST['page_id'] ) ) {
        $page_id = intval( $_POST['page_id'], 10 );
    } else {
        $err_msg = esc_html__( 'Page ID is missing', 'essential-addons-for-elementor-lite' );
    }

    $widget_id = 0;
    if ( ! empty( $_POST['widget_id'] ) ) {
        $widget_id = sanitize_text_field( $_POST['widget_id'] );
    } else {
        $err_msg = esc_html__( 'Widget ID is missing', 'essential-addons-for-elementor-lite' );
    }

    $rp_data = [
        'rp_key' => ! empty( $_POST['rp_key'] ) ? sanitize_text_field( $_POST['rp_key'] ) : '',
        'rp_login' => ! empty( $_POST['rp_login'] ) ? sanitize_text_field( $_POST['rp_login'] ) : '',
    ];

    update_option( 'eael_resetpassword_rp_data_' . esc_attr( $widget_id ), maybe_serialize( $rp_data ), false );

    update_option( 'eael_show_reset_password_on_form_submit_' . $widget_id, true, false );

    if (!empty( $err_msg )){
        if ( $ajax ) {
            wp_send_json_error( $err_msg );
        }
        update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

        if (isset($_SERVER['HTTP_REFERER'])) {
            wp_safe_redirect($_SERVER['HTTP_REFERER']);
            exit();
        }
    }

    if ( empty( $_POST['eael-resetpassword-nonce'] ) ) {
        $err_msg = esc_html__( 'Insecure form submitted without security token', 'essential-addons-for-elementor-lite' );
        if ( $ajax ) {
            wp_send_json_error( $err_msg );
        }
        update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

        if (isset($_SERVER['HTTP_REFERER'])) {
            wp_safe_redirect($_SERVER['HTTP_REFERER']);
            exit();
        }
    }
    if ( ! wp_verify_nonce( $_POST['eael-resetpassword-nonce'], 'essential-addons-elementor' ) ) {
        $err_msg = esc_html__( 'Security token did not match', 'essential-addons-for-elementor-lite' );
        if ( $ajax ) {
            wp_send_json_error( $err_msg );
        }
        update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

        if (isset($_SERVER['HTTP_REFERER'])) {
            wp_safe_redirect($_SERVER['HTTP_REFERER']);
            exit();
        }
    }
    $settings = $this->lr_get_widget_settings( $page_id, $widget_id);

    if ( is_user_logged_in() ) {
        $err_msg = isset( $settings['err_loggedin'] ) ? __( Helper::eael_wp_kses( $settings['err_loggedin'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'You are already logged in', 'essential-addons-for-elementor-lite' );
        if ( $ajax ) {
            wp_send_json_error( $err_msg );
        }
        update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

        if (isset($_SERVER['HTTP_REFERER'])) {
            wp_safe_redirect($_SERVER['HTTP_REFERER']);
            exit();
        }
    }

    do_action( 'eael/login-register/before-resetpassword-email' );

    $widget_id = ! empty( $_POST['widget_id'] ) ? sanitize_text_field( $_POST['widget_id'] ) : '';

    // Check if password is one or all empty spaces.
    $errors = [];
    if ( ! empty( $_POST['eael-pass1'] ) ) {
        $post_eael_pass1 = trim( $_POST['eael-pass1'] );

        if ( empty( $post_eael_pass1 ) ) {
            $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
        }
    } else {
        if ( empty( $_POST['eael-pass1'] ) ) {
            $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
        }
    }

    if( ! empty( $_POST['eael-pass1'] ) && strlen( trim( $_POST['eael-pass1'] ) ) == 0 ){
        $errors['password_reset_empty'] = esc_html__( 'The password cannot be empty.', 'essential-addons-for-elementor-lite' );
    }
    
    // Check if password fields do not match.
    if ( ! empty( $_POST['eael-pass1'] ) && $_POST['eael-pass2'] !== $_POST['eael-pass1'] ) {
        $errors['password_reset_mismatch'] = isset( $settings['err_conf_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_conf_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The passwords do not match.', 'essential-addons-for-elementor-lite' );
    }

    if ( ( ! count( $errors ) ) && isset( $_POST['eael-pass1'] ) && ! empty( $_POST['eael-pass1'] ) ) {
        $rp_login = isset( $_POST['rp_login']) ? sanitize_text_field( $_POST['rp_login'] ) : '';
        $user = get_user_by( 'login', $rp_login );
        
        if( $user || ! is_wp_error( $user ) ){
            reset_password( $user, sanitize_text_field( $_POST['eael-pass1'] ) );
-----------------------------------------------------------------------------------

First, we need to set a random value in $_POST['page_id'] and $_POST['widget_id'] so the $err_msg is not set. We also need to set $_POST['eael-resetpassword-nonce'] since the nonce value will be verified on the code. To set the password, we need to supply the same password string to $_POST['eael-pass1'] and $_POST['eael-pass2'] since it will be checked.

If we already pass all of the above conditions, the code will construct a $rp_login variable from $_POST[‘rp_login’]. The code then will construct a $user object using the get_user_by function by searching the login (username) value that matches the $rp_login variable.

If the $user object exists and there is no error, the code will directly reset the users’ password using the reset_password function.

At this point, the question is perhaps how we can get our hands on the essential-addons-elementor nonce value. Turns out that this nonce value is present in the main front-end page of the WordPress site since it will be set in the $this->localize_objects variable by the load_commnon_asset function:

// localize object
$this->localize_objects = apply_filters( 'eael/localize_objects', [
    'ajaxurl'            => admin_url( 'admin-ajax.php' ),
    'nonce'              => wp_create_nonce( 'essential-addons-elementor' ),

The $this->localize_objects variable will be used as the object on the wp_localize_script call in the frontend_asset_load function:

public function frontend_asset_load() {
    $handle        = 'eael';
    $this->post_id = get_the_ID();

    $this->elements_manager->get_element_list( $this->post_id );
    $this->load_commnon_asset();
    $this->register_script();

-------------------- CUTTED HERE ------------------------------------

    wp_localize_script( $handle, 'localize', $this->localize_objects );
}

The function eventually will be called from init_hook and it will be set as a function handler of wp_enqueue_scripts hook that will display all of the enqueued scripts and styles.

protected function init_hook() {
    add_action( 'wp_footer', [ $this, 'add_inline_js' ], 100 );
    add_action( 'wp_footer', [ $this, 'add_inline_css' ], 15 );
    add_action( 'after_delete_post', [ $this, 'delete_cache_data' ] );

    add_action( 'wp_enqueue_scripts', [ $this, 'frontend_asset_load' ], 100 );
    add_action( 'elementor/frontend/before_enqueue_styles', [ $this, 'ea_before_enqueue_styles' ] );
    add_action( 'elementor/theme/register_locations', [ $this, 'load_asset_per_location' ], 20 );
    add_filter( 'elementor/files/file_name', [ $this, 'load_asset_per_file' ] );
}

Note that this vulnerability could be triggered on a default installation or configuration of the Essential Addons for Elementor plugin.

The patch in Essential Addons for Elementor

Since this vulnerability exists because the code directly resets a user’s password without properly checking if the password reset key is present and legitimate, the patch is pretty straightforward. The vendor decided to use the eael_resetpassword_rp_data_* value configured from eael_redirect_to_reset_password function to validate the reset password process. The patch can be seen below.

Essential Addons for Elementor plugin vulnerability

Conclusion

Keep in mind that unauthenticated users can execute the init and also admin_init hooks on WordPress, so we need to add proper access control and nonce check to the function handler if it contains a certain action that performs something that interacts with the database.

Also pay extra attention to anything that is related to the login, registration, and password reset/recovery process. We highly recommend utilizing the check_password_reset_key function to check for the reset password key.

Timeline

08 May, 2023We found the vulnerability and reached out to the plugin vendor.
11 May, 2023Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.
11 May, 2023Added the vulnerabilities to the Patchstack vulnerability database.
11 May, 2023Published the article.

Since we’ve detected that third parties have had access to the vulnerability information via monitoring the changelog and have made the issue public, we’ve decided to disclose the vulnerability early.

Help us make the Internet a safer place

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

  • If you’re a plugin developer, join our mVDP program that makes it easier to report, manage, and address vulnerabilities in your software.
  • If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

The latest in Security advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu