CVE-2023-47504 Overview
CVE-2023-47504 is an improper authentication vulnerability in the Elementor Website Builder plugin for WordPress. The flaw allows authenticated users with contributor-level access to read arbitrary attachments on the host site. The issue stems from functionality that is not properly constrained by access control lists (ACLs), classified under [CWE-287]. All versions of Elementor Website Builder up to and including 3.16.4 are affected.
Critical Impact
Authenticated attackers with low privileges can access protected attachment files, exposing sensitive media and documents stored within WordPress installations.
Affected Products
- Elementor Website Builder (free, WordPress) versions up to and including 3.16.4
- WordPress sites running the vulnerable Elementor plugin
- Multisite WordPress deployments leveraging Elementor for content creation
Discovery Timeline
- 2024-04-24 - CVE-2023-47504 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2023-47504
Vulnerability Analysis
The vulnerability resides in the Elementor Website Builder plugin and falls under improper authentication ([CWE-287]). Functionality intended to be restricted is exposed to lower-privileged users because the plugin fails to enforce ACL checks. A contributor-level account, which is one of the lowest authenticated roles in WordPress, can invoke functionality reserved for higher-privileged roles.
In practice, the issue is reported by Patchstack as an arbitrary attachment read. A contributor can request attachment content that should be restricted, including private or unpublished media uploaded by other users. This breaks tenant separation on multi-author sites and exposes content that authors expected to remain private.
The attack is reachable over the network without user interaction. Exploitation requires only valid contributor credentials, which are commonly issued on blogs and content platforms that accept guest authors.
Root Cause
The plugin exposes attachment-handling functionality without verifying that the current user has the correct capability for the requested object. Authorization is implicit rather than checked against the WordPress capabilities API on a per-attachment basis.
Attack Vector
An attacker authenticates to WordPress with a contributor account and issues a crafted request to the vulnerable Elementor endpoint. The plugin returns attachment data belonging to other users without enforcing ownership or capability checks. Refer to the Patchstack Vulnerability Report for the technical breakdown.
No public proof-of-concept code is referenced in the advisory, so this article describes the mechanism in prose only.
Detection Methods for CVE-2023-47504
Indicators of Compromise
- WordPress access logs showing contributor accounts issuing repeated requests to Elementor AJAX or REST endpoints that handle attachments
- Unexpected wp-admin/admin-ajax.php requests originating from low-privilege accounts referencing attachment IDs they did not author
- Outbound transfers of media files shortly after contributor-account logins from unfamiliar IP addresses
Detection Strategies
- Audit the wp_posts table for attachment access patterns correlated with contributor session cookies
- Inspect Elementor plugin request handlers for calls invoked under non-administrator roles
- Compare the installed Elementor version against 3.16.4 across all WordPress instances in the environment
Monitoring Recommendations
- Forward WordPress and web server logs to a central data lake and alert on contributor-role requests targeting Elementor endpoints
- Track creation of new contributor accounts followed by attachment enumeration activity
- Monitor for bulk download patterns from /wp-content/uploads/ directories tied to authenticated low-privilege sessions
How to Mitigate CVE-2023-47504
Immediate Actions Required
- Upgrade Elementor Website Builder to a version later than 3.16.4 on all WordPress sites
- Review and remove unused or stale contributor-level accounts
- Rotate credentials for any contributor accounts that may have been abused
- Audit the wp-content/uploads/ directory for evidence of unauthorized access
Patch Information
Elementor addressed the issue in versions released after 3.16.4. Apply the latest stable Elementor release through the WordPress plugin updater. Confirm the upgrade by checking the plugin version under Plugins > Installed Plugins in the WordPress admin console.
Workarounds
- Restrict contributor registration on sites that do not require guest authors
- Place the WordPress administrative interface behind an IP allowlist or web application firewall rule that blocks unauthenticated and contributor-level requests to Elementor endpoints
- Disable the Elementor plugin until the patched version can be deployed if contributor accounts cannot be removed
# Verify and upgrade Elementor on a WordPress site using WP-CLI
wp plugin get elementor --field=version
wp plugin update elementor
wp plugin get elementor --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
