📄 Elementor Website Builder SQL Injection

Proof of concept exploit that demonstrates a remote SQL injection vulnerability in Elementor Website Builder versions prior 3.12.2. ============================================================================================================================================= | Title : Elementor...

Elementor Website Builder < 3.12.2 - Admin+ SQLi

EXPLOIT Elementor Website Builder Replace URL page. On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": code : http://localhost:8080/?test',metakey='key4'where+metaid=SLEEP2; Press "Replace URL" on the Replace URL page. Burp...

CVE-2023-0329

The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role...

CVE-2023-0329

CVE-2023-0329 affects the Elementor Website Builder WordPress plugin prior to 3.12.2. The issue is a SQL injection caused by improper sanitization/escaping of the Replace URL parameter in the Tools module before it is used in a SQL statement. Exploitation requires privileges of an Administrator, ...

WordPress Elementor Website Builder Plugin <= 3.12.1 is vulnerable to SQL Injection

Software Elementor Website Builder Type Plugin Vulnerable versions = 3.12.1 Fixed in 3.12.2 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-0329 Patch priority Low CVSS severity Low 6.6 Developer Elementor PSID c642fe631d89 Credits Sanjay Das Required privilege Administrator...