CVE-2023-6743
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to execute arbitrary code on the server through the Unlimited Elements For Elementor plugin's template import functionality. All WordPress sites using vulnerable versions of this plugin are affected, potentially enabling attackers to take full control of the web server.
💻 Affected Systems
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin
📦 What is this software?
Unlimited Elements For Elementor by Unlimited Elements
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, website defacement, and lateral movement to other systems in the network.
Likely Case
Website defacement, malware injection, credential theft, and backdoor installation for persistent access.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place, though code execution would still be possible.
🎯 Exploit Status
Exploitation requires contributor-level credentials. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.90 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3015166/unlimited-elements-for-elementor
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Unlimited Elements For Elementor'. 4. Click 'Update Now' if available, or manually update to version 1.5.90+. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate unlimited-elements-for-elementor
Restrict user roles
allRemove contributor and author roles from untrusted users
🧯 If You Can't Patch
- Implement strict access controls: Remove contributor roles from all users, require admin approval for new accounts
- Enable web application firewall with RCE protection rules and monitor for suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Unlimited Elements For Elementor → Version. If version is 1.5.89 or lower, system is vulnerable.Check Version:
wp plugin get unlimited-elements-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 1.5.90 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action=unlimited_elements_import_template'
- Unexpected file creation in wp-content/uploads/unlimited-elements/
- PHP execution from unusual locations
Network Indicators:
- HTTP requests containing base64 encoded PHP code in parameters
- Outbound connections from web server to suspicious IPs
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "unlimited_elements_import_template")🔗 References
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_output.class.php#L1765
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/core/plugins/unlimited_elements/elementor/elementor_widget.class.php#L3948
- https://plugins.trac.wordpress.org/changeset/3010986/unlimited-elements-for-elementor#file6
- https://plugins.trac.wordpress.org/changeset/3015166/unlimited-elements-for-elementor
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25f71a19-85b1-4bc9-b193-d9de2eba81ee?source=cve
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_output.class.php#L1765
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/core/plugins/unlimited_elements/elementor/elementor_widget.class.php#L3948
- https://plugins.trac.wordpress.org/changeset/3010986/unlimited-elements-for-elementor#file6
- https://plugins.trac.wordpress.org/changeset/3015166/unlimited-elements-for-elementor
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25f71a19-85b1-4bc9-b193-d9de2eba81ee?source=cve
