CVE-2023-0086

Name of the Vulnerable Software and Affected Versions JetWidgets for Elementor plugin for WordPress versions up to, and including, 1.0.12

Description The issue is due to missing nonce validation on the save() function, allowing unauthenticated attackers to modify the plugin's settings via a forged request. This can be achieved by tricking a site administrator into performing an action, such as clicking on a link. The vulnerability can be used to enable SVG uploads, potentially leading to Cross-Site Scripting.

Recommendations For versions up to, and including, 1.0.12, update to a version that includes nonce validation on the save() function to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.