CVE-2023-47661 - Exploiting Missing Authorization in Dragfy Addons for Elementor (<= 1..2)

In the world of WordPress site building, plugins are everywhere. Dragfy Addons for Elementor is a popular extension that promises extra widgets and easy site customization. But in late 2023, a big security risk (tracked as CVE-2023-47661) came to light: a missing authorization check that allows attackers to exploit sites with Dragfy Addons installed—without permission or login.

This post will explain the vulnerability, show example code, provide exploit details (for educational research), and share the best and safest practices for fixing your site.

What is CVE-2023-47661?

CVE-2023-47661 is a Missing Authorization issue in Dragfy Addons for Elementor plugin versions up to and including 1..2. This means the plugin did not properly check if a site visitor has the correct permissions before executing some actions. If you have this version, anyone could potentially do things only admins or logged-in users should be able to do.

Risk: Attackers can exploit broken access controls to perform actions they’re not supposed to—uploading or deleting files, changing site settings, etc. Every affected site is at risk.

Where’s the Reference?

- NVD Entry for CVE-2023-47661
- Patchstack Security Advisory
- WPScan Advisory

Technical Details

The exploit takes advantage of the plugin’s insecure AJAX actions. Usually, AJAX handlers in WordPress include permission checks, like so:

if ( ! current_user_can( 'manage_options' ) ) {
    wp_send_json_error( 'Unauthorized', 403 );
}

But in Dragfy Addons for Elementor <= 1..2, handlers for some AJAX endpoints lack such checks.

Example vulnerable code (simplified)

// Vulnerable AJAX handler (example)
add_action( 'wp_ajax_dragfy_addon_action', 'dragfy_addon_action_cb' );
add_action( 'wp_ajax_nopriv_dragfy_addon_action', 'dragfy_addon_action_cb' );

function dragfy_addon_action_cb() {
    // Does something dangerous, but NO permission check!
    $data = $_POST['data'];

    // For example, saving data to the database
    update_option( 'dragfy_addon_data', $data );

    wp_send_json_success( 'Saved!' );
}

Notice there’s no current_user_can() check—so anyone can trigger this action, logged in or not.

Exploit Example

Disclaimer: The following is for educational and defensive purposes only—do NOT use this against any system you do not own.

Suppose the vulnerable action can reset a plugin option. An attacker could POST the following request from anywhere:

curl -X POST https://vulnerable.site/wp-admin/admin-ajax.php \
  -d "action=dragfy_addon_action" \
  -d "data=malicious_value"

Response

{"success":true,"data":"Saved!"}

That’s it. No login, no security check—just a public API to mess with plugin data.

If you need a quick fix before updating, add a permission check in the vulnerable function

function dragfy_addon_action_cb() {
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Unauthorized', 403 );
    }
    // ...proceed as normal
}

Conclusion

CVE-2023-47661 is a classic example of why plugins must always enforce proper authorization checks—even for the most innocent-looking actions. If you run Dragfy Addons for Elementor (<=1..2), update now or risk someone quietly taking control of your precious site.

More Reading

- Patchstack Vulnerability Database
- NIST CVE-2023-47661
- WPScan Entry

If you have questions or want to check your site, feel free to comment or contact a professional security team.

Timeline

Published on: 01/02/2025 12:15:16 UTC