CVE-2023-47661: Missing Authorization Vulnerability in Dragfy Addons for Elementor Leading to Incorrectly Configured Access Control Security Levels Exploits

A Missing Authorization vulnerability (CVE-2023-47661) has been identified in Dragfy Addons for Elementor, a popular plugin for the Elementor website builder. Attackers could exploit this vulnerability to bypass access control security levels, potentially leading to unauthorized activities and data breaches. This issue affects Dragfy Addons for Elementor versions from n/a through 1..2.

Vulnerability Overview

The security flaw in Dragfy Addons for Elementor arises due to missing authorization checks. Consequently, the plugin does not properly restrict user access based on their privileges, allowing individuals with lower access levels or unauthorized users to perform actions they should not have access to, including sensitive data manipulation and unauthorized website changes.

Exploit Details

An attacker can exploit this vulnerability by sending crafted requests to the vulnerable Dragfy Addons for Elementor plugin with a specific payload targeting the missing authorization check. Subsequently, the attacker gains unauthorized access to restricted functionalities even without the required user access level.

This example code snipplet demonstrates how the exploit could be performed

import requests

URL="http://targeted_website.example.com/index.php";
EXPLOIT_PAYLOAD = {"elementor_action": "some_sensitive_action", "user_id": "attacker_id"}

response = requests.post(URL, data=EXPLOIT_PAYLOAD)

if response.status_code == 200:
    print("Exploit successful!")
else:
    print("Exploit failed.")

In the code above, the attacker sends a POST request to the target website with the Elementor elementor_action parameter set to a sensitive action they should not have access to, along with their user_id. If the response status is 200, the attacker has successfully exploited the vulnerability.

Original References

For more information on this security vulnerability, please refer to the following original references:

1. CVE-2023-47661 entry in the CVE List
2. Elementor Official Security Advisory

Mitigation Steps

To protect against the exploitation of CVE-2023-47661, it is recommended that website administrators take the following steps:

1. Update Dragfy Addons for Elementor to the latest version (1..3 or higher) as soon as possible. This version contains patches addressing the discussed vulnerability.

Conclusion

The CVE-2023-47661 vulnerability presents potential risks to many websites that use the Dragfy Addons for Elementor plugin. Administrators must act swiftly to apply updates, verify access controls, and monitor website activities to minimize the risk of exploitation.

Timeline

Published on: 01/02/2025 12:15:16 UTC