Elementor Website Builder < 3.12.2 – Admin+ SQLi | CVE 2023-0329 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

Proof of Concept

1. Go to Elementor > Tools > Replace URL
2. Fill the first field with `http://localhost:8000/`
3. Fill the second field with `http://localhost:8000/?test'),meta_key='key4'where+meta_id=SLEEP(2);#`
4. Note the additional time taken by the request, demonstrating the SQL injection vulnerability.

Affects Plugins

Fixed in 3.12.2

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Sanjay Das

Submitter

Sanjay Das

Submitter website

https://p3n7a90n.github.io/

Submitter twitter

Verified

Yes

WPVDB ID

a875836d-77f4-4306-b275-2b60efff1493

Timeline

Publicly Published

2023-05-02 (about 2 years ago)

Added

2023-05-02 (about 2 years ago)

Last Updated

2023-05-02 (about 2 years ago)

Other

Published

Title

Published

2020-05-18

Title

Ajax Load More < 5.3.2 - Authenticated SQL Injection

Published

2022-01-24

Title

Popup Builder < 4.0.7 - Admin+ SQL Injection

Published

2025-05-16

Title

Radio Player Shoutcast & Icecast WordPress Plugin <= 4.4.6 - Authenticated (Contributor+) SQL Injection

Published

2025-01-06

Title

School Management System – WPSchoolPress < 2.2.15 - Student/Parent+ SQL Injection

Published

2025-01-31

Title

Traveler Code < 3.1.2 - Authenticated (Subscriber+) SQL Injection