CVE-2021-24201

Опубликовано: 05 апр. 2021

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

Ссылки

https://wpscan.com/vulnerability/9647f516-b130-4cc8-85fb-2e69b034ced0
Exploit
Third Party Advisory
https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/
Exploit
Third Party Advisory
https://wpscan.com/vulnerability/9647f516-b130-4cc8-85fb-2e69b034ced0
Exploit
Third Party Advisory
https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*

Версия до 3.1.4 (исключая)

EPSS

Процентиль: 30%

0.00108

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-vf33-c85r-62wf

github

больше 3 лет назад

In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an â€˜html_tagâ€™ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified â€˜save_builderâ€™ request containing JavaScript in the â€˜html_tagâ€™ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.