WordPress Plugin Vulnerabilities

Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update

Description

The plugin does not have authorisation in an AJAX action (relying only on a nonce, which is available to any authenticated users), and does not validate the options to be updated. This allows any authenticated users, such as subscriber to update arbitrary blog options, such as the default_role, when the WooCommerce plugin is also active

Affects Plugins

Plugin icon
elementor-pro
Fixed in 3.11.7

References

CVE
CVE-2023-3124
URL
https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (Nintechnet)
Verified
Yes
WPVDB ID
73e8e030-8e8b-43de-a602-c699ab2eafaf

Timeline

Publicly Published
2023-03-28 (about 1 years ago)
Added
2023-03-28 (about 1 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2022-11-01
Title
WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Deletion
Published
2024-04-22
Title
Contest Gallery < 21.3.5 - Authenticated (Author+) Arbitrary File Deletion
Published
2023-11-03
Title
Short URL <= 1.6.8 - Missing Authorization via multiple AJAX functions
Published
2024-03-06
Title
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Upload
Published
2024-02-29
Title
Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update