CVE-2023-48750

Vulnerability

Overview The Void Elementor Post Grid Addon for Elementor Page builder plugin for WordPress suffers from a missing authorization vulnerability in versions up to and including 2.1.10. This broken access control issue means that certain functions lack proper permission checks, allowing users without the required privileges to perform actions that should be restricted [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication, as the missing authorization check does not verify user roles or capabilities. The attack surface is broad because the plugin is widely used, and the vulnerability can be triggered via crafted requests to the WordPress installation [1].

Impact

Successful exploitation could allow an attacker to execute actions that are normally reserved for higher-privileged users, such as modifying post grid settings or accessing sensitive data. This could lead to unauthorized changes to the website's content or configuration [1].

Mitigation

The vendor has released version 2.2 which addresses the vulnerability. Users are strongly advised to update immediately. For those unable to update, applying a virtual patch or using a security plugin like Patchstack can provide temporary protection until the update is applied [1].