WordPress Plugin Vulnerabilities

Elementor < 3.1.4 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

Description

In the plugin, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

Proof of Concept

Affects Plugins

Plugin icon
elementor
Fixed in 3.1.4

References

CVE
CVE-2021-24201
URL
https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
ramuelgall
Verified
Yes
WPVDB ID
9647f516-b130-4cc8-85fb-2e69b034ced0

Timeline

Publicly Published
2021-03-17 (about 4 years ago)
Added
2021-03-17 (about 4 years ago)
Last Updated
2021-03-20 (about 4 years ago)

Other

Published
Title
Published
2021-10-14
Title
WpGenius Job Listing <= 1.0.2 - Admin+ Stored Cross-Site Scripting
Published
2025-05-20
Title
Formulario de contacto SalesUp! <= 1.0.14 - Reflected Cross-Site Scripting
Published
2024-03-29
Title
Contact Form 7 Newsletter <= 2.2 - Reflected Cross-Site Scripting
Published
2025-08-20
Title
Risk Free Cash On Delivery (COD) - WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2021-02-01
Title
Ivory Search < 4.5.11 - Authenticated Reflected Cross-Site Scripting (XSS)