CVE-2023-48777: 
WordPress vulnerability analysis and mitigation

A critical security vulnerability (CVE-2023-48777) was discovered in Elementor Website Builder, a popular WordPress plugin used by over 5 million websites worldwide. The vulnerability was identified as an 'authenticated arbitrary file upload' issue, initially discovered by security researcher Hồng Quân and reported through the Patchstack alliance program. The vulnerability was present in versions 3.3.0 through 3.18.1 and was patched in version 3.18.2 (Security Online).

The vulnerability lies in the 'handleelementorupload' function, which failed to properly validate file types before uploading, allowing for arbitrary file uploads. The issue enables accounts with edit post permissions (Contributor level and above) to upload potentially malicious files, including PHP files, which could lead to remote code execution. The vulnerability received a CVSS score of 9.9 (High), indicating its severe nature (Patchstack).

The vulnerability affects over 5 million websites using the Elementor Website Builder plugin. It allows authenticated users with contributor-level access to upload malicious files and potentially execute remote code on the server, which could lead to complete website compromise (Security Online).

The vulnerability was addressed in two stages: version 3.18.1 attempted to sanitize file names to prevent files from being saved outside the intended directory, while version 3.18.2 introduced more robust checks for proper validation of file names and extensions. Website administrators are strongly advised to update to version 3.18.2 or later immediately (Security Online, Patchstack).