Exploit for the popular website platform found in Essential Addons
WordPress is a popular website management platform, a free resource allowing anyone to make their own domain. It’s used for blogs, professionals, and e-vendors. Even we at Bytagig make use of WordPress’ business resources. But due to the popularity, it’s a ripe target for attackers and threat campaigns, from credential theft to plugin exploitation.
The website builder takes advantage of plugs and extensions which modify its basic functions, from online shopping to templates completely redesigning the website. However, these templates require updates and continued maintenance, otherwise they run risk of breach. That’s just what happened with the Essential Addons for WordPress plugin. Threat actors discovered an exploitable weakness (CVE-2023-32243) leaving millions of websites open to attack.
The danger is rated as a critical vulnerability and should be addressed ASAP by website administrators. The exploit allows an attacker to escalate privileges and take over any user account(s), including domain owners. In essence, they’re able to steal the keys to your digital house. Naturally, this is dangerous, as hackers gain not only access to administrator functions, but also critical data housed in the impacted website too. They can elect to ransom the credentials back, steal client data (where relevant), or threaten to scuttle the website entirely.
Attackers can do this by resetting a password without the use of a reset key.
Resolving the exploit
A patch has been released for Essential Addons to address the critical vulnerability. Currently, versions 5.4.0 to 5.7.1 are vulnerable. Updating to version 5.7.2 will address the exploit. Any WordPress domain using the Essential Addons tool should update to the latest version as soon as possible.
If you haven’t already and are concerned about a potential breach, there are several things you should do.
- Backup all critical data from website information to client login information
- Remove the Essential Addons integration until you can update to the patched version
- Alert all relevant staff of the critical vulnerability
As always, spread awareness and update to the patched version ASAP.