CVE-2023-0329: 
WordPress vulnerability analysis and mitigation

The Elementor Website Builder WordPress plugin before version 3.12.2 contains a SQL injection vulnerability identified as CVE-2023-0329. The vulnerability exists in the Tools module where the Replace URL parameter is not properly sanitized and escaped before being used in SQL statements. This security flaw affects WordPress installations using the Elementor Website Builder plugin versions prior to 3.12.2 (WPScan).

The vulnerability is classified as a SQL injection (SQLI) with a CVSS score of 5.5 (medium severity). It falls under the OWASP Top 10 category A1: Injection and is identified as CWE-89. The vulnerability specifically affects the Replace URL functionality in the Tools module of the plugin, where insufficient input sanitization allows for SQL injection attacks. The issue was discovered by security researcher Sanjay Das and was publicly disclosed on May 2, 2023 (WPScan, FortiGuard).

Successful exploitation of this vulnerability could lead to arbitrary SQL code execution in the security context of the database service connected to the application. Attackers with administrator privileges could potentially add, view, delete, or modify data in the database of the affected application (FortiGuard).

The recommended mitigation is to update the Elementor Website Builder plugin to version 3.12.2 or later, which contains the security fix for this vulnerability. Website administrators should apply the most recent upgrade or patch from the vendor through the WordPress plugin repository (FortiGuard).