A critical vulnerability in Essential Addons for Elementor allowed unauthenticated password resets for arbitrary user accounts on WordPress sites, with a patch released on May 11, 2023. Attack activity followed, including readme.txt probing and thousands of blocked exploits, and Wordfence issued firewall protections urging an update to version 5.7.2. #EssentialAddonsForElementor #Wordfence
Keypoints
- The Essential Addons for Elementor plugin patch fixed a critical vulnerability that let attackers reset arbitrary user passwords without authentication.
- Readme.txt probing by attackers spiked after disclosure, with millions of probes and thousands of blocked exploits observed.
- An exploit was released publicly on GitHub on May 14, 2023, increasing feasibility for attackers to weaponize the flaw.
- Wordfence responded with firewall rules for Premium, Care, and Response on disclosure day, and planned a broader rollout for free users 30 days later.
- Technical flaw involved reset_password not validating reset requests against a proper reset key, enabling password resets when a valid username and nonce were supplied.
- Attackers can enumerate usernames (e.g., “admin”) and then gain administrator access, after which they can install backdoors or malicious plugins.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers leveraged a publicly disclosed vulnerability in Essential Addons for Elementor to reset passwords for arbitrary accounts; “a programmatic exploit was made public on Github on May 14th.”
- [T1033] Account Discovery – WordPress doesn’t treat usernames as sensitive, enabling enumeration of valid usernames on target sites; “WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames.”
- [T1078] Valid Accounts – Attackers reset passwords for arbitrary accounts to gain administrator access; “The vulnerability patched … allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin.”
- [T1518] Software Discovery – Readme probing to determine if the vulnerable plugin is installed; “readme.txt probing attempts for Essential Addons for Elementor…”
- [T1068] Privilege Escalation – After gaining administrator access, attackers can install plugins and backdoors to maintain control; “Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors…”
Indicators of Compromise
- [IP Address] context – 78.128.60.112, 23.224.195.51, and 8 more items
- [User Agent] context – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299