Introduction:

A critical security vulnerability has been discovered in the widely used WordPress plugin, Essential Addons for Elementor. The vulnerability, identified as CVE-2023-32243, has the potential to be exploited by malicious actors, allowing them to gain elevated privileges on affected websites. The plugin maintainers have promptly addressed this issue in version 5.7.2, released on May 11, 2023. With over one million active installations, it is crucial for users to update their plugin to the latest version immediately to mitigate the risks associated with this vulnerability.

Details of the Vulnerability:

The security flaw in the Essential Addons for Elementor plugin enables unauthenticated users to escalate their privileges to that of any user on the WordPress site. This unauthenticated privilege escalation vulnerability allows threat actors to reset the password of any user by knowing their username. The vulnerability has existed since version 5.4.0, potentially impacting a large number of websites. Exploitation of this flaw could lead to severe consequences, such as unauthorised access and complete control over the compromised website.

Previous Vulnerabilities and Emerging Threats:

This disclosure follows a previous severe vulnerability found in the same plugin, which could have allowed arbitrary code execution on compromised websites. The discovery also coincides with the detection of a recent wave of attacks targeting WordPress sites since late March 2023. These attacks aim to inject the SocGholish (aka FakeUpdates) malware, a persistent JavaScript malware framework, into vulnerable hosts. The malware facilitates the delivery of additional malware to infected systems and disguises itself as a web browser update. The attackers employ compression techniques using the zlib software library to conceal the malware and evade detection.

Evolution of Malware Campaigns:

Malicious actors continually adapt their tactics to evade detection and extend the lifespan of their malware campaigns. The SocGholish malware campaign exemplifies this trend, as attackers modify their approach to inject malicious scripts into compromised WordPress websites. Additionally, Malwarebytes recently published a technical report outlining a malvertising campaign that targets visitors to adult websites. The campaign uses popunder ads that mimic fake Windows updates and deliver the “in2al5d p3in4er” (aka Invalid Printer) loader. This loader checks the system’s graphics card to determine if it is running on a virtual machine or a sandbox environment, ultimately launching the Aurora information stealer malware.

Immediate Action Required:

Wordfence, a leading WordPress security provider, has reported active exploitation of the critical vulnerability in the Essential Addons for Elementor plugin. In the past 24 hours alone, they have blocked 200 attacks targeting this flaw. Given the ongoing attacks, it is vital for users to update the plugin to the latest version without delay. Immediate action will help safeguard websites from potential compromise and ensure the continued security of user data.

Conclusion:

The security vulnerability in the Essential Addons for Elementor plugin highlights the importance of regularly updating plugins to protect against emerging threats. Website administrators and users should prioritise updating the plugin to version 5.7.2 or later to address the critical vulnerability promptly. Additionally, staying vigilant against evolving malware campaigns, such as SocGholish and the Invalid Printer loader, is crucial for maintaining a secure online environment. By staying informed and taking necessary security measures, website owners can safeguard their sites and protect user data from potential breaches.