CVE-2023-0329: Elementor Website Builder WordPress Plugin SQL Injection Vulnerability in Replace URL Parameter

CVE-2023-0329 refers to a critical security vulnerability discovered in the popular Elementor Website Builder WordPress plugin, which allows an attacker with administrator privileges to perform SQL injection attacks. This vulnerability has been identified in versions of the plugin before v3.12.2, and it's recommended that users of the plugin update to the latest version to ensure the security of their websites.

In this post, we will provide you with a detailed breakdown of the vulnerability, including a code snippet that demonstrates the exploit, links to original references, and further details about the exploit itself.

Vulnerability Details

The Elementor Website Builder WordPress plugin is widely used for creating custom websites using simple drag-and-drop functionality. However, the plugin suffers from a severe security flaw in the Replace URL parameter of the Tools module. This flaw allows an authenticated user with administrator role to execute SQL injection attacks on the website.

The vulnerability arises from the plugin's failure to sanitize and properly escape the Replace URL parameter before inserting it into a SQL query. As a result, an attacker can inject malicious SQL code into the query, potentially compromising the website's database and any sensitive information stored within.

Code Snippet

To better understand the nature of this vulnerability, let's take a look at a code snippet that demonstrates the exploit:

//... Elementor Plugin code
$replace_url = $_POST['replace_url'];
$old_url = $_POST['old_url'];

// Vulnerable SQL query
$sql_query = "UPDATE $wpdb->postmeta SET meta_value = REPLACE(meta_value, '$old_url', '$replace_url') WHERE meta_key = '_elementor_data'";
$wpdb->query($sql_query);
//... Elementor Plugin code

In the code above, the $replace_url variable is obtained from the POST request without any sanitization, and subsequently used in the SQL query, leading to the vulnerability.

Exploit Details

To exploit this vulnerability, an attacker needs to have access to a WordPress website with the Elementor plugin installed (version before 3.12.2) and have administrator privileges. The attacker can then manipulate the Replace URL parameter in the Tools module to insert malicious SQL code, potentially compromising the website's database, exfiltrating sensitive information, or even gaining full control of the website.

Here is an example of a malicious payload that could be used in this exploit

'; DROP TABLE wp_users; --

By inserting this payload as the Replace URL parameter, the attacker could potentially delete the entire user table from the website's database, causing irreversible damage to the site.

For more information about this vulnerability, please refer to the following original references

1. CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0329
2. Elementor Plugin: https://wordpress.org/plugins/elementor/

Conclusion

In summary, this post has detailed the critical SQL injection vulnerability (CVE-2023-0329) found in the Elementor Website Builder WordPress plugin before v3.12.2. It is highly recommended that users of this plugin update to the latest version to protect their websites from potential attacks.

Remember, the security of your website is your responsibility, and it's essential to stay informed about new vulnerabilities and keep your plugins, themes, and WordPress core up-to-date.

Timeline

Published on: 05/30/2023 08:15:00 UTC
Last modified on: 06/03/2023 04:18:00 UTC