CVE-2023-0329
Published: 30 May 2023
Summary
CVE-2023-0329 is a high-severity an unspecified weakness vulnerability in Elementor Website Builder. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Elementor Website Builder WordPress plugin before version 3.12.2 contains a SQL injection vulnerability in the Tools module. The root cause is a failure to sanitize and escape the Replace URL parameter before incorporating it into a SQL statement.
Administrators can exploit the flaw over the network with low attack complexity and no user interaction required, achieving full impact on confidentiality, integrity, and availability as reflected in the CVSS 7.2 rating.
References on WPScan and Packet Storm Security document the issue and include exploitation details; the affected plugin must be updated to 3.12.2 or later to address it. The associated EPSS score has remained flat at 0.0914 with no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12390
Vulnerability details
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator…
more
role.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.