CVE-2023-4690: 
WordPress vulnerability analysis and mitigation

The Elementor Addon Elements plugin for WordPress (versions up to and including 1.12.7) was identified with a Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2023-4690. The vulnerability was discovered and reported by security researchers Marco Wotschka and Paolo Tresso (Wordfence).

The vulnerability stems from missing or incorrect nonce validation in the eaesaveconfig function. This security flaw has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N by NIST, while Wordfence assessed it with a slightly higher score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L (NVD).

The vulnerability allows unauthenticated attackers to modify the plugin's configuration settings through forged requests, provided they can successfully trick a site administrator into performing specific actions, such as clicking on a malicious link (WPScan).

The vulnerability has been patched in version 1.12.8 of the Elementor Addon Elements plugin. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks (WPScan).