CVE-2023-32243: 
WordPress vulnerability analysis and mitigation

CVE-2023-32243 is a critical vulnerability affecting WPDeveloper Essential Addons for Elementor WordPress plugin versions 5.4.0 through 5.7.1. The vulnerability was discovered on May 8, 2023, and publicly disclosed on May 11, 2023, after the release of the patched version 5.7.2. This improper authentication vulnerability affects over 1 million WordPress installations (Patchstack Article).

The vulnerability is classified as an improper authentication issue (CWE-287) with a critical CVSS score of 9.8. The security flaw stems from a lack of password reset key validation in the reset_password function, which allows direct modification of user passwords without proper verification. The vulnerability exists in the plugin's init hook within the register_hooks function, specifically in the login_or_register_user function that handles password reset functionality (Patchstack Article, NVD).

The vulnerability allows any unauthenticated user to escalate their privileges to match any user on the WordPress site, including administrators. An attacker can reset the password of any user account by knowing only the username or email address, potentially leading to complete website compromise (Security Online).

Users are strongly advised to update to Essential Addons for Elementor version 5.7.2 or later, which includes a patch for this vulnerability. The fix implements proper validation of the password reset key using the eael_resetpassword_rp_data_* value configured from the eael_redirect_to_reset_password function (Patchstack Article).