WordPress plug-ins allow organizations to quickly extend the functionality of their websites without requiring any coding or advanced technical skills. But they have also been the biggest source of risk for website operators in recent years.
The newest example is a critical privilege escalation vulnerability in a plug-in that over 1 million WordPress websites use, called Essential Addons for Elementor Plugin. The vulnerability, tracked as CVE-2023-32243, affects versions 5.4.0 through 5.7.1 of the plug-in and allows an unauthenticated attacker to escalate privileges to that of any user on the WordPress site — including that of an administrator.
Privilege Escalation Flaw
Researchers at Patchstack discovered the vulnerability on May 8 and disclosed it to WPDeveloper, the author of Essential Addons for Elementor. WPDeveloper on May 11 released a new version of the software (version 5.7.2) that addresses the bug. The vendor described the new version as featuring a security enhancement in the login and register form for the software.
According to Patchstack, the bug has to do with Essential Addons' code resetting passwords without validating if the associated password reset keys are present and legitimate. This offers a way for an unauthenticated attacker to reset the password of any user on an affected WordPress site and login to their account.
"This vulnerability occurs because [the] password reset function does not validate a password reset key and instead directly changes the password of the given user," Patchstack said in a post.
The new bug is one among thousands of vulnerabilities that researchers have uncovered in WordPress plug-ins in recent years.
Patchstack counted 4,528 new vulnerabilities in WordPress plug-ins in 2022 alone, a startling 328% increase over the 1,382 it observed in 2021. Plug-ins accounted for 93% of the reported bugs in the WordPress environment in 2022. Just 0.6% of confirmed bugs were in the core WordPress platform itself. Some 14% of the bugs were of either high or critical severity.
A Relentless Barrage of Flaws
The trend has continued unabated this year. iThemes, a company that tracks WordPress plug-in flaws on a weekly basis counted 160 vulnerabilities just in the one-week period ending April 26. The bugs affected some 8 million WordPress websites, and only 68 of them had patches at vulnerability disclosure time.
Just last week, Patchstack reported on another privilege escalation vulnerability in a different WordPress plug-in (Advanced Custom Fields Plugins) that affected two million websites. The vulnerability gave attackers a way to both steal sensitive data from affected sites as well as escalate privileges on them.
In April, Sucuri reported on a campaign dubbed "Balada Injector," where a threat actor, over at least the past five years, has been systematically injecting malware into WordPress sites via vulnerable plug-ins. The security vendor assessed the threat actor behind the campaign had infected at least one million WordPress sites with malware that redirected site visitors to fake tech support sites, fraudulent lottery sites, and other scam sites.
Sucuri found the threat actor using newly disclosed vulnerabilities and, in some instances, zero-day bugs to launch massive attack waves against WordPress sites.
A lot of the attacker interest in the WordPress ecosystem has to do with its widespread use. Estimates on the exact number of WordPress sites worldwide vary widely with some pegging the number at upwards of 800 million. Technology survey website W3Techs, which some consider a reliable source for WordPress-related statistics, estimates that some 43% of all websites worldwide currently use WordPress.
According to Patchstack, the growing number of vulnerabilities that are being reported in the WordPress ecosystem isn't necessarily a sign that plug-in developers are getting sloppier. What it indicates rather is that security researchers are looking harder.
"This also means that the WordPress ecosystem is becoming more secure because a lot more of these security bugs are being addressed and patched," Patchstack said.