CVE-2023-35050

Root

Cause

CVE-2023-35050 is a missing authorization vulnerability in the Elementor Pro plugin for WordPress, affecting versions up to and including 3.13.0. The flaw stems from broken access controls – specifically, the absence of proper authorization, authentication, or nonce token checks in certain functions. This allows an unprivileged user (e.g., a Subscriber) to execute actions that should require higher privileges, such as those reserved for Administrators or Editors [1].

Exploitation

Exploitation requires only a Subscriber-level account on a WordPress site running an affected version of Elementor Pro. There is no need for special network access or additional authentication. An attacker with such low-level credentials can leverage the missing authorization checks to perform actions normally restricted to higher roles. The vulnerability has been observed in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an authenticated attacker with low privileges to perform unauthorized actions, potentially leading to site defacement, data exposure, or further compromise depending on the specific privileged functions accessible. The CVSS v3 base score is 5.4 (Medium), indicating a moderate risk due to the low attack complexity and low privileges required, although the impact on confidentiality, integrity, and availability is considered low [1].

Mitigation

The vulnerability is patched in Elementor Pro version 3.13.1. Users are strongly advised to update immediately. For those unable to update, hosting providers or web developers should be consulted. Patchstack has also released a mitigation rule that blocks attacks until the patch is applied [1].