CVE-2023-3124
CVE-2023-3124 is a high-severity vulnerability in Elementor Elementor Pro with a CVSS 3.x base score of 8.8. Its EPSS exploit-prediction score of 23% places it in the 97th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-862.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 23% (97th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-862
- Affected product: Elementor Elementor Pro
- Published:
- Last modified:
Description
The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
Frequently asked questions
- What is CVE-2023-3124?
- The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
- How severe is CVE-2023-3124?
- CVE-2023-3124 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-3124 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 23% (97th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-3124?
- CVE-2023-3124 affects Elementor Elementor Pro. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-3124?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-3124 published?
- CVE-2023-3124 was published on 2023-06-07 and last updated on 2026-06-17.
References
- https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/570474f2-c118-45e1-a237-c70b849b2d3c?source=cve
Affected products (1)
- cpe:2.3:a:elementor:elementor_pro:*:*:*:*:*:wordpress:*:*
More vulnerabilities in Elementor Elementor Pro
- CVE-2020-26596 — High (CVSS 8.8): The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to…
- CVE-2024-35656 — High (CVSS 7.1): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Elementor…
- CVE-2024-2781 — Medium (CVSS 6.4): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the…
- CVE-2024-1521 — Medium (CVSS 6.4): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an SVGZ file…
- CVE-2024-1364 — Medium (CVSS 6.4): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget's…
- CVE-2024-2121 — Medium (CVSS 5.4): The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's…
All CVEs affecting Elementor Elementor Pro →
Other CWE-862 (Missing Authorization) vulnerabilities
- CVE-2026-0092 — Critical (CVSS 10.0): In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could…
- CVE-2026-33712 — Critical (CVSS 10.0): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
- CVE-2026-2031 — Critical (CVSS 10.0): An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration…
- CVE-2026-34976 — Critical (CVSS 10.0): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing…
- CVE-2025-30416 — Critical (CVSS 10.0): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis…
- CVE-2025-45854 — Critical (CVSS 10.0): /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
Browse all CWE-862 (Missing Authorization) vulnerabilities →