CVE-2023-33930
📋 TL;DR
This vulnerability allows attackers to upload malicious ZIP files containing dangerous file types to WordPress sites using the Unlimited Elements for Elementor plugin. When extracted, these files can execute arbitrary code, leading to complete site compromise. All WordPress installations with this plugin version 1.5.66 or earlier are affected.
💻 Affected Systems
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
📦 What is this software?
Unlimited Elements For Elementor by Unlimited Elements
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing remote code execution, data theft, defacement, and backdoor installation leading to persistent access.
Likely Case
Website defacement, malware injection, credential theft, and unauthorized administrative access to the WordPress site.
If Mitigated
Limited impact if file uploads are restricted at web server level, but plugin functionality may be impaired.
🎯 Exploit Status
Exploitation requires only the ability to upload ZIP files through the plugin interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.67 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Unlimited Elements For Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.5.67+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate the Unlimited Elements for Elementor plugin until patched.
wp plugin deactivate unlimited-elements-for-elementor
Restrict ZIP uploads
linuxBlock ZIP file uploads at web server level using .htaccess or nginx configuration.
# Apache .htaccess: <Files *.zip> Order Allow,Deny Deny from all </Files>
# Nginx: location ~ \.zip$ { deny all; }
🧯 If You Can't Patch
- Remove plugin upload functionality by disabling relevant plugin features in WordPress admin
- Implement web application firewall rules to block malicious ZIP file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Unlimited Elements For Elementor version 1.5.66 or earlier.Check Version:
wp plugin get unlimited-elements-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 1.5.67 or later in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual ZIP file uploads via /wp-admin/admin-ajax.php
- File write operations to unexpected directories like wp-content/uploads with PHP/executable extensions
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with ZIP file attachments
- Unusual outbound connections from web server after file uploads
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND ".zip" AND action="ue_upload_zip_file"🔗 References
- https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-66-unrestricted-zip-extraction-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-66-unrestricted-zip-extraction-vulnerability?_s_id=cve
