CVE-2021-24203

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 70.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Elementor Website Builder Elementor Website Builder

Timeline

PublishedApr 5

Latest updateMay 24

Description

In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘text’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDelementor/website_builder< 3.1.4

▶CVEListV5unknown/elementor_website_builder3.1.4 — 3.1.4

🔴Vulnerability Details

GHSA

GHSA-66w3-q6c3-mx37: In the Elementor Website Builder WordPress plugin before 3↗2022-05-24

▶

CVEList

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Divider Widget↗2021-04-05

▶