Website Builder
CVE-2023-48777
CRITICAL
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.This issue affects Elementor Website Builder: from 3.3.0 through 3.18.1.
AnalysisAI
Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.3.0 through 3.18.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 90.8%.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Unrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.3.0 through 3.18.1. Affected products include: Elementor Website Builder. Version information: through 3.18.1..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Website Builder
View allThe Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due t
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elem
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL param
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. Rated medium se
The Elementor Website Builder - More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Sit
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 ve
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM v
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template. R
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) ac
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) acce
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) ac
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today