Elementor Website Builder < 3.12.2 - Admin+ SQLi
CVE-2023-0329

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Elementor Website Builder
Vendor: CVE Published:; 30 May 2023

Summary

The Elementor Website Builder plugin for WordPress prior to version 3.12.2 harbors a vulnerability that arises from inadequate sanitization and escaping of the Replace URL parameter in the Tools module. This flaw permits users with Administrative privileges to execute SQL injection attacks, potentially compromising the integrity and confidentiality of the database, allowing unauthorized access to sensitive information.

Affected Version(s)

Elementor Website Builder 0 < 3.12.2

References

https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-...

exploitvdb-entrytechnical-description

http://packetstormsecurity.com/files/175639/Elementor-Web...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 30, 2023
Vulnerability Reserved
Jan 16, 2023

Credit

Sanjay Das

WPScan