Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-4953Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Website Builder

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
13.4%
top 5.80%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Elementor Website Builder
Timeline
PublishedAug 14
Latest updateSep 8

Description

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-3gvr-rm94-r528: The Elementor Website Builder WordPress plugin before 32023-08-14
CVEList
Elementor < 3.5.5 - Iframe Injection2023-08-14

💥Exploits & PoCs

1
Exploit-DB
Wordpress Plugin Elementor 3.5.5 - Iframe Injection2023-09-08
CVE-2022-4953 — Elementor Website Builder vulnerability | cvebase