Cross-Site Request Forgery in Elementor Addon Elements Plugin for WordPress
CVE-2023-4690

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Addon Elements For Elementor (formerly Elementor Addon Elements)
Vendor: CVE Published:; 15 November 2023

What is CVE-2023-4690?

The Elementor Addon Elements plugin for WordPress contains a Cross-Site Request Forgery vulnerability due to inadequate nonce validation in the eae_save_config function. This flaw permits unauthorized users to manipulate plugin configuration settings if they can deceive an administrator into executing a malicious action, such as clicking a manipulated link. Users of versions up to and including 1.12.7 are particularly at risk and should implement appropriate security measures to safeguard against potential exploitation.

Affected Version(s)

Addon Elements for Elementor (formerly Elementor Addon Elements) 0 <= 1.12.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/addon-elements...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2023
Vulnerability Reserved
Aug 31, 2023

Credit

Marco Wotschka

Paolo Tresso

CVE-2023-4690 Data

JSON