CVE-2023-47178
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform path traversal attacks, enabling local file inclusion in WordPress sites using The Plus Addons for Elementor Pro plugin. Attackers can read sensitive files like wp-config.php containing database credentials. All WordPress sites with vulnerable versions of this plugin are affected.
💻 Affected Systems
- The Plus Addons for Elementor Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via reading wp-config.php database credentials, leading to database takeover, code execution, and site defacement.
Likely Case
Sensitive file disclosure including configuration files, user data, and potentially gaining administrative access to the WordPress site.
If Mitigated
Limited to reading non-sensitive files if proper file permissions and web server configurations are in place.
🎯 Exploit Status
Simple path traversal payloads can be used. Public exploit code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.9 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'The Plus Addons for Elementor Pro'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.2.9+ from vendor and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate The Plus Addons for Elementor Pro plugin until patched
wp plugin deactivate theplus_elementor_addon
Web application firewall rule
allBlock path traversal patterns in requests to WordPress
Add WAF rule: block requests containing '../' or similar path traversal patterns
🧯 If You Can't Patch
- Implement strict file permissions on sensitive files (wp-config.php should be 400 or 440)
- Deploy web application firewall with path traversal detection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version via admin panel or wp cli: wp plugin get theplus_elementor_addon --field=versionCheck Version:
wp plugin get theplus_elementor_addon --field=versionVerify Fix Applied:
Confirm plugin version is 5.2.9 or higher: wp plugin get theplus_elementor_addon --field=version📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns to WordPress
- Access to wp-config.php or other sensitive files from unexpected IPs
- 404 errors for non-existent plugin files with traversal patterns
Network Indicators:
- Unusual file read requests to WordPress with traversal sequences
- Requests to plugin endpoints with file parameter manipulation
SIEM Query:
source="web_server" AND (uri="*../*" OR uri="*wp-config.php*") AND user_agent NOT CONTAINS "bot"🔗 References
- https://patchstack.com/database/vulnerability/theplus_elementor_addon/wordpress-the-plus-addons-for-elementor-pro-plugin-5-2-8-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/theplus_elementor_addon/wordpress-the-plus-addons-for-elementor-pro-plugin-5-2-8-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve
