CVE-2021-24205

In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://wpscan.com/vulnerability/ef23df6d-e265-44f6-bb94-1005b16d34d9	Exploit Third Party Advisory
https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2021-04-05 19:15

Updated : 2024-02-04 21:47

NVD link : CVE-2021-24205

Mitre link : CVE-2021-24205

CVE.ORG link : CVE-2021-24205

JSON object : View

Products Affected

elementor

website_builder

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-24205", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2021-04-05T19:15:17.140", "references": [{"url": "https://wpscan.com/vulnerability/ef23df6d-e265-44f6-bb94-1005b16d34d9", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/", "tags": ["Exploit", "Third Party Advisory"], "source": "contact@wpscan.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "contact@wpscan.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a \u2018title_size\u2019 parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified \u2018save_builder\u2019 request containing JavaScript in the \u2018title_size\u2019 parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed."}, {"lang": "es", "value": "En el plugin de WordPress Elementor Website Builder versiones anteriores a 3.1.4, el widget icon box (el archivo includes/widgets/icon-box.php) acepta un par\u00e1metro \"title_size\". Aunque el control de elementos enumera un conjunto fijo de posibles etiquetas html, es posible que un usuario con permisos de Colaborador o superiores env\u00ede una petici\u00f3n \"save_builder\" modificada que contenga JavaScript en el par\u00e1metro \"title_size\", que no se filtra y se genera sin escapar . Este JavaScript ser\u00e1 ejecutado cuando la p\u00e1gina guardada sea visualizada o previsualizada"}], "lastModified": "2021-04-09T17:19:22.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "493EC195-F031-4D35-9143-9399AEB9292A", "versionEndExcluding": "3.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}