Unknown Elementor Website Builder vulnerabilities

9 known vulnerabilities affecting unknown/elementor_website_builder.

Total CVEs
9
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM8

Vulnerabilities

Page 1 of 1
CVE-2022-4953MEDIUMCVSS 6.1PoCfixed in 3.5.52023-08-14
CVE-2022-4953 [MEDIUM] CWE-80 CVE-2022-4953: The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
cvelistv5nvd
CVE-2023-0329HIGHCVSS 7.2fixed in 3.12.22023-05-30
CVE-2023-0329 [HIGH] CWE-89 CVE-2023-0329: The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape t The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
cvelistv5nvd
CVE-2021-24891MEDIUMCVSS 6.1PoC≥ 3.4.8, < 3.4.82021-11-23
CVE-2021-24891 [MEDIUM] CWE-79 CVE-2021-24891: The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input a The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
cvelistv5nvd
CVE-2021-24206MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24206 [MEDIUM] CWE-79 CVE-2021-24206: In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widge In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in
cvelistv5nvd
CVE-2021-24202MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24202 [MEDIUM] CWE-79 CVE-2021-24202: In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to
cvelistv5nvd
CVE-2021-24203MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24203 [MEDIUM] CWE-79 CVE-2021-24203: In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘s
cvelistv5nvd
CVE-2021-24201MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24201 [MEDIUM] CWE-79 CVE-2021-24201: In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/element In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the
cvelistv5nvd
CVE-2021-24205MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24205 [MEDIUM] CWE-79 CVE-2021-24205: In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widget In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in t
cvelistv5nvd
CVE-2021-24204MEDIUMCVSS 5.4≥ 3.1.4, < 3.1.42021-04-05
CVE-2021-24204 [MEDIUM] CWE-79 CVE-2021-24204: In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widge In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScrip
cvelistv5nvd