Cyber Resilience

CVE-2023-0329

HighPublic PoC

Published: 30 May 2023

Published
30 May 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0914 92.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0329 is a high-severity an unspecified weakness vulnerability in Elementor Website Builder. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Elementor Website Builder WordPress plugin before version 3.12.2 contains a SQL injection vulnerability in the Tools module. The root cause is a failure to sanitize and escape the Replace URL parameter before incorporating it into a SQL statement.

Administrators can exploit the flaw over the network with low attack complexity and no user interaction required, achieving full impact on confidentiality, integrity, and availability as reflected in the CVSS 7.2 rating.

References on WPScan and Packet Storm Security document the issue and include exploitation details; the affected plugin must be updated to 3.12.2 or later to address it. The associated EPSS score has remained flat at 0.0914 with no material rise observed.

EU & UK References

Vulnerability details

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator…

more

role.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

elementor
website builder
≤ 3.12.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References