Privilege Escalation in Plus Addons for Elementor Plugin by WordPress
CVE-2021-4331

8.8HIGH

Key Information:

Vendor

Wordpress
Status
The Plus Addons For Elementor Page Builder
The Plus Addons For Elementor | Free Elementor Widgets & Elementor Templates, Header Menu, Blog Post Builder, Dark Mode, Full-page Scroll, Cross Domain Copy
Vendor
CVE Published:
7 March 2023

What is CVE-2021-4331?

The Plus Addons for Elementor plugin for WordPress presents a vulnerability that permits privilege escalation in versions up to and including 4.1.9 (pro) and 2.0.6 (free). This issue arises from the registration form feature, where users can select the default role for new registrations. Unfortunately, this field remains visible to lower-level users, enabling individuals with limited permissions, such as contributors, to assign themselves higher roles like administrator. This flaw allows such users to potentially elevate their privileges without requiring any admin intervention.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

The Plus Addons for Elementor | FREE Elementor Widgets & Elementor Templates, Header Menu, Blog Post Builder, Dark Mode, Full-Page Scroll, Cross Domain Copy * <= 2.0.6

The Plus Addons for Elementor Page Builder * <= 4.1.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland
JSON
.