CVE-2023-0336 in OoohBoi Steroids for Elementor Plugin
Summary
by MITRE • 03/27/2023
The OoohBoi Steroids for Elementor WordPress plugin through 2.1.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/19/2025
The CVE-2023-0336 vulnerability affects the OoohBoi Steroids for Elementor WordPress plugin version 2.1.3 and earlier, presenting critical security flaws that undermine the platform's access control mechanisms. This vulnerability resides within a plugin designed to enhance Elementor page builder functionality, making it particularly concerning given the widespread adoption of both Elementor and its supporting plugins across WordPress ecosystems. The flaw manifests as a combination of cross-site request forgery and broken access control vulnerabilities that collectively enable unauthorized actions by users with minimal privileges.
The technical implementation of this vulnerability stems from insufficient validation of user permissions and lack of proper anti-CSRF token mechanisms within the plugin's administrative interfaces. Attackers can exploit this weakness by crafting malicious requests that appear to originate from legitimate administrative sessions, bypassing the normal WordPress permission checks that should prevent subscribers from performing destructive actions. The broken access control specifically allows low-privilege users to manipulate attachment deletion functions that should only be accessible to administrators or editors with appropriate clearance levels.
Operationally, this vulnerability creates a severe risk for WordPress sites utilizing the affected plugin, as it enables malicious subscribers or compromised low-privilege accounts to delete media attachments from the site's media library. This capability extends beyond simple data deletion to potentially disrupt site functionality, compromise content integrity, and enable further attacks through the removal of critical assets such as logos, images, or other media that may be referenced in content. The impact is particularly damaging in business environments where content management and media assets are central to operations and where the removal of attachments could lead to service disruption or data loss.
The vulnerability aligns with CWE-352 for Cross-Site Request Forgery and CWE-284 for Improper Access Control, both of which are fundamental security weaknesses that demonstrate poor implementation of authorization controls. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1485 Data Destruction, as it enables attackers to leverage compromised low-privilege accounts to perform destructive operations. The attack vector typically involves social engineering or account compromise to gain subscriber-level access, followed by exploitation of the CSRF vulnerability to execute unauthorized attachment deletion commands.
Mitigation strategies should prioritize immediate patching of the affected plugin to version 2.1.4 or later, which addresses these access control and CSRF vulnerabilities through proper permission validation and anti-CSRF token implementation. Site administrators should also implement additional security measures including regular security audits of installed plugins, monitoring of unauthorized administrative actions, and implementation of web application firewalls to detect and block suspicious requests. Access control should be reviewed to ensure proper user role assignments and that the principle of least privilege is enforced. Additionally, regular backups should be maintained to ensure rapid recovery in case of successful exploitation, and security monitoring should be enhanced to detect anomalous attachment deletion patterns that may indicate exploitation attempts.