CVE-2020-36703 — Cross-site Scripting in Elementor Website Builder More Than Just A Page Builder

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

0.1%

top 70.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elemntor Elementor Website Builder More Than Just A Page Builder Elementor Website Builder

Timeline

PublishedJun 7

Description

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5elemntor/elementor_website_builder_more_than_just_a_page_builder2.9.7

▶NVDelementor/website_builder2.9.7

🔴Vulnerability Details

CVEList

Elementor Website Builder <= 2.9.7 - Authenticated Stored Cross-Site Scripting↗2023-06-07

▶

GHSA

GHSA-vm89-qhc8-q63h: The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including↗2023-06-07

▶