CVE-2023-3124: Critical Vulnerability in Elementor Pro WordPress Plugin (Up to v3.11.6) - Unauthorized Data Modification and Privilege Escalation

A critical vulnerability affecting the Elementor Pro plugin for WordPress (versions up to and including 3.11.6) has been discovered and assigned the identifier CVE-2023-3124. The vulnerability is present due to an improper capability check on the update_page_option function, which allows authenticated attackers with subscriber-level capabilities to modify arbitrary site options. This can lead to privilege escalation, which can heavily impact the affected sites, as it may enable the attackers to gain administrative privileges.

Description

In the affected versions of Elementor Pro, the plugin fails to properly check the user's capability by neglecting to implement an appropriate security mechanism. This allows attackers to execute the update_page_option function even if they have just subscriber-level access to a WordPress site. As a result, the attackers can modify various settings and potentially escalate their privileges on the affected site.

A simplified version of the vulnerable code within the Elementor Pro plugin is shown below

function update_page_option() {
	$option_key = sanitize_key( $_POST['option_key'] );
	$option_value = sanitize_text_field( $_POST['option_value'] );
	
	update_option( $option_key, $option_value );

	wp_send_json_success();
}

In this code snippet, you can observe that there is no check for capabilities before updating the site option. Any user that can send a POST request would be able to update the site options, potentially allowing the attacker to escalate their privileges.

Exploit Details

An attacker could exploit this vulnerability by crafting a malicious POST request to the vulnerable function in the Elementor Pro plugin. They must be authenticated with at least subscriber-level access to be successful in their exploit. The following example demonstrates how a crafted POST request might look:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target_site
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Cookie: [valid_session_cookie]

action=elementor_pro_update_page_option&option_key=sample_key&option_value=sample_value

By issuing this request, an attacker would be able to change the sample_key option to the value sample_value. This can have far-reaching consequences, including—but not limited to—disabling certain site features, affecting the site's appearance, and even escalating user privileges.

Original References

* Elementor Pro Changelog
* CVE-2023-3124 Details

Mitigation and Recommendations

If you are using Elementor Pro plugin on a WordPress site, it is essential to apply the necessary patches and updates as soon as possible to mitigate the risk of attackers exploiting this vulnerability. The following actions are recommended:

Ensure that the latest security patches for WordPress and other plugins are applied.

3. Limit the number of user accounts with subscriber-level access, and restrict access to essential personnel only.
4. Regularly monitor your site for suspicious activities, including unauthorized privilege escalation and settings modification.

In conclusion, keeping your WordPress site, including its plugins and themes, up-to-date is crucial for maintaining a secure online environment. Periodically review the security posture of your websites, and stay informed about emerging vulnerabilities and threats to minimize the risk of unauthorized access, data modification, and other security incidents.

Timeline

Published on: 06/07/2023 02:15:00 UTC
Last modified on: 06/13/2023 18:46:00 UTC