Elementor Website Builder < 3.12.2 - Admin+ SQLi
CVE-2023-0329

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Elementor Website Builder
Vendor: CVE Published:; 30 May 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Elementor Website Builder plugin for WordPress prior to version 3.12.2 harbors a vulnerability that arises from inadequate sanitization and escaping of the Replace URL parameter in the Tools module. This flaw permits users with Administrative privileges to execute SQL injection attacks, potentially compromising the integrity and confidentiality of the database, allowing unauthorized access to sensitive information.

Affected Version(s)

Elementor Website Builder 0 < 3.12.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-0329 - Proof of Concept

References

https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-...

exploitvdb-entrytechnical-description

http://packetstormsecurity.com/files/175639/Elementor-Web...

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 30, 2023
👾
Exploit known to exist
May 30, 2023
Vulnerability published
May 30, 2023
Vulnerability Reserved
Jan 16, 2023

Credit

Sanjay Das

WPScan