CVE-2022-29455
published 2022-06-13CVE-2022-29455: DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
PriorityP347medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
23.18%
97.5th percentile
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elementor | elementor_website_builder | <= 3.5.5 | — |
| elementor | website_builder | <= 3.5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/#elementor-action:action=lightbox&settings=ewogICAgInR5cGUiOiAidmlkZW8iLAogICAgInVybCI6ICJodHRwOi8vIiwKICAgICJ2aWRlb1R5cGUiOiAiaG9zdGVkIiwKICAgICJ2aWRlb1BhcmFtcyI6IHsKICAgICAgICAib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbisnICcrZG9jdW1lbnQuY29va2llKSIsCiAgICAgICAgInN0eWxlIjogImJhY2tncm91bmQtY29sb3I6cmVkIgogICAgfQp9
path/wp-content/plugins/elementor/readme.txt
- →Probe for vulnerable Elementor versions (<= 3.5.5) by fetching the plugin readme.txt and extracting the 'Stable tag' version field; match versions <= 3.5.5 alongside HTTP 200 and body containing 'Elementor Website Builder'.
- →Version extraction from readme.txt uses the regex pattern '(?m)Stable tag: ([0-9.]+)' to identify the installed plugin version for comparison against the vulnerable range.
- →The DOM XSS payload is delivered via the URL fragment using the elementor-action lightbox handler with a base64-encoded settings parameter containing an onerror JavaScript injection; monitor for requests to '/#elementor-action:action=lightbox&settings=' with suspicious base64 blobs.
- →Headless browser detection: after navigating to the exploit URL, a dialog (waitdialog) named 'elementor_dom' is expected to fire, confirming successful XSS execution.
- ·The vulnerability is unauthenticated and DOM-based (fragment-based), meaning the malicious payload is never sent to the server in a standard HTTP request body — server-side WAF/log inspection of the URL fragment (#) will not capture the attack vector.
- ·The passive/version-check template only confirms a vulnerable version is installed; it does not confirm active exploitation. Pair with headless/active template for full confirmation.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-29455 [MEDIUM] WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model.
Template:
id: CVE-2022-29455-headless
info:
name: WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
author: rotembar,daffainfo
severity: medium
description: |
WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
rem
Nuclei
WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-29455 [MEDIUM] WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model.
Template:
id: CVE-2022-29455
info:
name: WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
author: rotembar,daffainfo
severity: medium
description: |
WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation:
No writeups or analysis indexed.
https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-5-5-unauthenticated-dom-based-reflected-cross-site-scripting-xss-vulnerabilityhttps://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementorhttps://wordpress.org/plugins/elementor/#developershttps://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-5-5-unauthenticated-dom-based-reflected-cross-site-scripting-xss-vulnerabilityhttps://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementorhttps://wordpress.org/plugins/elementor/#developers
2022-06-13
Published