Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 - Authenticated (Contributor+) Arbitrary File Upload
CVE-2023-3295

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Unlimited Elements For Elementor (free Widgets, Addons, Templates)
Vendor: CVE Published:; 17 June 2023

Summary

The Unlimited Elements for Elementor plugin for WordPress, specifically in versions up to 1.5.66, has a vulnerability that permits arbitrary file uploads. This flaw arises from inadequate validation of file types within the file manager functionality. Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability to upload malicious files to the server, potentially leading to remote code execution. Though an initial patch was implemented in version 1.5.66, it was only fully resolved in version 1.5.67. Additionally, CVE-2023-31231 is noted as a duplicate of this vulnerability.

Affected Version(s)

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) * <= 1.5.66

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/unlimited-elem...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 17, 2023
Vulnerability Reserved
Jun 16, 2023

Credit

Chloe Chamberland

Rafie Muhammad