Elementor Website Builder < 3.16.5 – Missing Authorization to Arbitrary Attachment Read | CVE 2023-47504 | Plugin Vulnerabilities

Description

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_inline_svg function in all versions up to, and including, 3.16.4. This makes it possible for authenticated attackers, with contributor-level access and above, to read arbitrary attachment files.

Affects Plugins

Fixed in 3.16.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c873c76a-144e-4945-8fa2-c9ffe0e3c061

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

e60f0f7e-4c3b-4107-803a-8e03526859ed

Timeline

Publicly Published

2023-11-08 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2026-01-25

Title

Share This Image < 2.10 - Missing Authorization

Published

2025-12-19

Title

F70 Lead Document Download <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download

Published

2026-02-09

Title

WooCommerce Bulk Product Editor <= 3.0 - Missing Authorization

Published

2025-10-14

Title

Find And Replace content for WordPress <= 1.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Published

2024-04-11

Title

Filter Custom Fields & Taxonomies Light <= 1.05 - Missing Authorization