CVE-2023-41656

Vulnerability

Overview The Better Elementor Addons plugin for WordPress versions up to 1.3.7 suffers from a Missing Authorization vulnerability. This issue arises from incorrectly configured access control security levels, allowing functions to be executed without proper authorization checks [1].

Exploitation

Conditions An attacker can exploit this vulnerability without requiring authentication or elevated privileges. By manipulating requests, they can trigger actions that should be restricted to higher-privileged users. This type of broken access control is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation enables an attacker to perform unauthorized actions, potentially leading to privilege escalation or data manipulation. While the CVSS score is 5.4 (Medium), the risk is amplified by the plugin's widespread use and the ease of exploitation [1].

Mitigation

The vulnerability is patched in version 1.3.9 of Better Elementor Addons. Users are strongly advised to update immediately. Those unable to update should consult their hosting provider for temporary security measures. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].