Elementor Website Builder < 3.12.2 - Admin+ SQLi

Vulnerability

The Elementor Website Builder WordPress plugin versions before 3.12.2 contain a SQL injection vulnerability in the Tools module. The plugin fails to properly sanitize and escape the Replace URL parameter before using it in a SQL statement, allowing an attacker with Administrator-level access to inject arbitrary SQL. The flaw affects plugin versions 3.12.1 and earlier [1].

Exploitation

An attacker must have the Administrator role on a WordPress site using a vulnerable version of the Elementor plugin. The attacker navigates to the Tools module and provides a crafted Replace URL value that contains SQL injection payloads. The plugin does not sanitize this input, so the malicious SQL is executed against the database [1].

Impact

Successful exploitation allows an authenticated Administrator to execute arbitrary SQL commands on the WordPress database. This could lead to data extraction, modification, or deletion, including creation of new administrative accounts, disclosure of sensitive information, or complete compromise of the site [1].

Mitigation

The vulnerability is fixed in Elementor Website Builder version 3.12.2 released on 2023-05-30. Users should update to at least version 3.12.2 to remediate the issue. There is no workaround provided for unpatched versions [1].