CVE-2023-0329 — SQL Injection in Website Builder

CWE-89 — SQL Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

9.1%

top 7.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elementor Website Builder

Timeline

PublishedMay 30

Description

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages1 packages

▶NVDelementor/website_builder< 3.12.2

🔴Vulnerability Details

CVEList

Elementor Website Builder < 3.12.2 - Admin+ SQLi↗2023-05-30

▶

GHSA

GHSA-vfrh-jg7v-x9p3: The Elementor Website Builder WordPress plugin before 3↗2023-05-30

▶