WordPress Plugin Vulnerabilities

Elementor Website Builder < 3.12.2 - Admin+ SQLi

Description

The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

Proof of Concept

1. Go to Elementor > Tools > Replace URL
2. Fill the first field with `http://localhost:8000/`
3. Fill the second field with `http://localhost:8000/?test'),meta_key='key4'where+meta_id=SLEEP(2);#`
4. Note the additional time taken by the request, demonstrating the SQL injection vulnerability.

Affects Plugins

Plugin icon
elementor
Fixed in 3.12.2

References

CVE
CVE-2023-0329

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Sanjay Das
Submitter
Sanjay Das
Submitter website
https://p3n7a90n.github.io/
Submitter twitter
p3n7a90n
Verified
Yes
WPVDB ID
a875836d-77f4-4306-b275-2b60efff1493

Timeline

Publicly Published
2023-05-02 (about 7 months ago)
Added
2023-05-02 (about 6 months ago)
Last Updated
2023-05-02 (about 6 months ago)

Other

Published
Title
Published
2015-05-06
Title
Freshmail for WordPress <= 1.5.8 - Unauthenticated SQL Injection
Published
2022-05-30
Title
Events Made Easy < 2.2.81 - Unauthenticated SQLi
Published
2018-09-25
Title
Capability Manager Enhanced <= 1.5.8 - Authenticated SQLi
Published
2021-11-15
Title
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
Published
2023-10-30
Title
Image horizontal reel scroll slideshow < 13.3 - Authenticated (Subscriber+) SQL Injection via Shortcode