CVE-2021-24891
published 2021-11-23CVE-2021-24891: The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM…
PriorityP347medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
24.01%
97.6th percentile
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elementor | website_builder | < 3.1.4 | 3.1.4 |
| elementor | website_builder | >= 3.2.0 < 3.4.8 | 3.4.8 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-24891 [MEDIUM] WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting
WordPress Elementor Website Builder 1.5.0', '< 3.1.4')
- type: regex
part: body
regex:
- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
extractors:
- type: regex
name: version
group: 1
regex:
- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
internal: true
- type: kval
kval:
- version
# digest: 4a0a00473045022100a9b513a25700f1f473a8930f2da017c599d24e56bb153080ecd712c0080ee94a0220596505da1266aebbe7b6bafaa3baa7ad8ca792a791ee85c2cf22f2aa487d9a17:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2021-11-23
Published