CVE-2024-4619

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.5%

top 33.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elementor Website Builder Elemntor Elementor Website Builder – More Than Just A Page Builder

Timeline

PublishedMay 21

Description

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hover_animation’ parameter in versions up to, and including, 3.21.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5elemntor/elementor_website_builder_–_more_than_just_a_page_builder3.21.5

▶NVDelementor/website_builder< 3.21.5

🔴Vulnerability Details

GHSA

GHSA-rwqc-8qvc-52fh: The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hov↗2024-05-21

▶

CVEList

Elementor Website Builder – More than Just a Page Builder <= 3.21.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting↗2024-05-21

▶