cbcvebase.
CVE-2022-29455
published 2022-06-13

CVE-2022-29455: DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.

PriorityP347medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
23.18%
97.5th percentile
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
elementorelementor_website_builder<= 3.5.5
elementorwebsite_builder<= 3.5.5

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/#elementor-action:action=lightbox&settings=ewogICAgInR5cGUiOiAidmlkZW8iLAogICAgInVybCI6ICJodHRwOi8vIiwKICAgICJ2aWRlb1R5cGUiOiAiaG9zdGVkIiwKICAgICJ2aWRlb1BhcmFtcyI6IHsKICAgICAgICAib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbisnICcrZG9jdW1lbnQuY29va2llKSIsCiAgICAgICAgInN0eWxlIjogImJhY2tncm91bmQtY29sb3I6cmVkIgogICAgfQp9
path/wp-content/plugins/elementor/readme.txt
  • Probe for vulnerable Elementor versions (<= 3.5.5) by fetching the plugin readme.txt and extracting the 'Stable tag' version field; match versions <= 3.5.5 alongside HTTP 200 and body containing 'Elementor Website Builder'.
  • Version extraction from readme.txt uses the regex pattern '(?m)Stable tag: ([0-9.]+)' to identify the installed plugin version for comparison against the vulnerable range.
  • The DOM XSS payload is delivered via the URL fragment using the elementor-action lightbox handler with a base64-encoded settings parameter containing an onerror JavaScript injection; monitor for requests to '/#elementor-action:action=lightbox&settings=' with suspicious base64 blobs.
  • Headless browser detection: after navigating to the exploit URL, a dialog (waitdialog) named 'elementor_dom' is expected to fire, confirming successful XSS execution.
  • ·The vulnerability is unauthenticated and DOM-based (fragment-based), meaning the malicious payload is never sent to the server in a standard HTTP request body — server-side WAF/log inspection of the URL fragment (#) will not capture the attack vector.
  • ·The passive/version-check template only confirms a vulnerable version is installed; it does not confirm active exploitation. Pair with headless/active template for full confirmation.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.