Elementor is one of the most popular WordPress website builders, powering millions of websites around the world. However, in November 2023, a serious vulnerability was disclosed: CVE-2023-47504. This flaw allowed attackers to access privileged actions in Elementor Website Builder (up to and including version 3.16.4) by bypassing proper authentication and weak Access Control Lists (ACLs).
In this exclusive deep-dive, we'll break down the vulnerability in simple terms, demonstrate possible exploitation with code, and help you understand what it means for your WordPress site.
[References and Further Reading](#refs)
1. What is CVE-2023-47504?
CVE-2023-47504 describes an improper authentication vulnerability in Elementor's code. In plain English, this means that Elementor didn't properly check if a user was allowed to perform certain privileged actions.
This flaw let attackers abuse Elementor's AJAX endpoints to access backend functions, even if they didn't have the right permissions.
Official description
> "Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs..."
Fixed in: 3.16.5 (and later)
If you are running version 3.16.4 or older, your site is at risk!
3. How Does the Vulnerability Work?
WordPress uses a mechanism called "AJAX" so the backend and frontend can communicate. Plugins like Elementor register AJAX handler functions. These handler functions should always check if the sender is logged in and has the proper rights.
But in vulnerable Elementor versions, some AJAX actions didn't check authentication properly, or didn't validate user capabilities.
For example, a function might look like
add_action('wp_ajax_elementor_some_action', 'elementor_some_action_handler');
function elementor_some_action_handler() {
// MISSING: capability check (e.g., current_user_can('edit_posts'))
$data = $_POST['data'];
//do something privileged
wp_send_json_success(['result' => 'Action complete!']);
}
As you see, there's no check like current_user_can('edit_posts'). This means that anyone (even unauthenticated users, depending on the action) can trigger this action!
As a result, attackers could send crafted AJAX requests that Elementor would execute without proper permission checks.
4. Step-By-Step Exploit Example
Suppose a vulnerable action is exposed as wp-admin/admin-ajax.php?action=elementor_some_action. Here's how an attacker might exploit it.
Open the browser and check
https://targetsite.com/wp-admin/admin-ajax.php?action=elementor_some_action
If it returns JSON output and you aren’t logged in, that's a red flag.
Here's a simple curl command to trigger the vulnerable action
curl -X POST "https://targetsite.com/wp-admin/admin-ajax.php"; \
-d "action=elementor_some_action" \
-d "data=evil_payload"
Replace elementor_some_action and data as needed, based on the specific exposed Elementor actions.
Step 3: Abuse for Further Attack
If the exposed AJAX endpoint lets attackers change settings, create posts, or inject code, they could:
Even inject PHP code if the AJAX action is poorly coded
Tools like Wordfence or Sucuri can help monitor for exploit attempts.
Developers:
When writing custom AJAX actions, always check capabilities
function elementor_secure_action_handler() {
// Secure: only allow admins
if ( ! current_user_can('manage_options') ) {
wp_send_json_error(['error' => 'Permission denied!']);
exit;
}
// Your secure action here
}
Official Advisory:
Elementor – Improper Authentication CVE-2023-47504
Elementor Plugin on WordPress.org:
https://wordpress.org/plugins/elementor/
Patch Announcement:
Example code patterns:
Credits
- Initial vulnerability research was shared by Wordfence & WPScan.
Final Thoughts
CVE-2023-47504 is a crucial reminder: even the most popular plugins can have serious flaws. Always keep your WordPress and plugins updated, and watch out for unprotected functions or endpoints in your code. If you’re a site owner using Elementor, update right away and monitor for any signs of compromise.
Timeline
Published on: 04/24/2024 16:15:07 UTC