Vulnerability
Elementor Website Builder <= 3.10.0 – Admin+ SQLi
Description
The plugin does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
CVE-ID
CVE-2023-0329
Vendor
Elementor
Product
Elementor Website Builder – More than Just a Page Builder
Disclosure Timeline
Reported On: 20-01-23
Made Public On: 02-05-2023
Fixed On: 01-05-2023
Credits
Sanjay Das