// For flags

CVE-2021-24202

Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘title’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed.

En el plugin de WordPress Elementor Website Builder versiones anteriores a 3.1.4, el widget heading (el archivo includes/widgets/heading.php) acepta un parámetro "header_size".&#xa0;Aunque el control de elementos enumera un conjunto fijo de posibles etiquetas html, es posible que un usuario con permisos de Colaborador o superiores envíe una petición "save_builder" modificada con este parámetro establecido en "script" y combinado con un parámetro de "títle" que contenga JavaScript , que luego será ejecutado cuando la página guardada es visualizada o previsualizada

*Credits: Ramuel Gall
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-14 CVE Reserved
  • 2021-03-17 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Elementor
Search vendor "Elementor"
Website Builder
Search vendor "Elementor" for product "Website Builder"
< 3.1.4
Search vendor "Elementor" for product "Website Builder" and version " < 3.1.4"
wordpress
Affected