WordPress Plugin Vulnerabilities

Elementor Addon Elements < 1.12.8 - Elementor Addon Element Enabling/Disabling via CSRF

Description

The plugin does not have CSRF check in its eae_save_elements function, which could allow attackers to make logged in admins enable and disable Elementor add-on elements via a CSRF attack

Affects Plugins

Plugin icon
addon-elements-for-elementor-page-builder
Fixed in 1.12.8

References

CVE
CVE-2023-4689

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka, Paolo Tresso
Verified
No
WPVDB ID
b5c24afa-698e-426e-88f4-cb36a31769d1

Timeline

Publicly Published
2023-11-15 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2023-10-06
Title
Schedule Posts Calendar < 5.3 - CSRF
Published
2024-11-01
Title
Manage User Columns < 1.0.6 - Cross-Site Request Forgery
Published
2024-01-02
Title
Autotitle for WordPress <= 1.0.3 - Settings Update to Stored XSS via CSRF
Published
2024-10-18
Title
AVChat Video Chat <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-12-20
Title
eCommerce Product Catalog Plugin for WordPress < 3.3.44 - Cross-Site Request Forgery to Password Reset