CVE-2023-1807 in Elementor Addons, Widgets and Enhancements Plugin
Summary
by MITRE • 06/09/2023
The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers to enable or disable Elementor widgets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-1807 affects the Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress, specifically impacting versions up to and including 1.4.3. This represents a critical security weakness that undermines the integrity of WordPress site administration by exploiting a fundamental flaw in the plugin's request validation mechanisms. The issue resides within the toggle_widget function which fails to properly implement nonce validation, creating an exploitable pathway for malicious actors to manipulate plugin functionality without proper authentication.
The technical flaw manifests through the absence of proper nonce validation within the toggle_widget function, which is a core security mechanism designed to prevent unauthorized requests from being processed. Nonces, or number used once, serve as time-sensitive tokens that verify the authenticity of administrative actions and ensure that requests originate from legitimate sources within the WordPress ecosystem. When this validation is missing or incorrectly implemented, attackers can craft malicious requests that appear to come from authenticated administrators, thereby bypassing standard security controls that protect against unauthorized modifications to plugin settings and widget configurations.
This vulnerability creates significant operational impact for WordPress site administrators and organizations relying on the affected plugin, as it allows unauthenticated attackers to manipulate Elementor widgets through forged requests. The attack vector requires social engineering to trick administrators into clicking malicious links, but once successful, attackers can enable or disable widgets at will, potentially disrupting site functionality, compromising security configurations, or even facilitating further attacks by altering plugin behavior to create backdoors or hide malicious activities. The implications extend beyond simple widget manipulation, as these changes can affect site performance, user experience, and overall security posture.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and represents a clear violation of the principle of least privilege in web application security. From an ATT&CK framework perspective, this weakness maps to T1078 Valid Accounts and T1566 Impair Defenses, as attackers can leverage the forged requests to manipulate plugin configurations without requiring legitimate administrative credentials while simultaneously impairing the site's defensive mechanisms. Organizations should immediately update to the latest plugin version, implement additional security monitoring for unusual widget toggle activities, and consider implementing additional administrative controls such as two-factor authentication and restricted administrator access to mitigate potential exploitation of this vulnerability.