Elementor < 3.5.5 - Iframe Injection
CVE-2022-4953

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Elementor Website Builder
Vendor: CVE Published:; 14 August 2023

Summary

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

Affected Version(s)

Elementor Website Builder 0 < 3.5.5

References

https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-...

exploitvdb-entrytechnical-description

https://github.com/elementor/elementor/commit/292fc49e0f9...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 14, 2023
Vulnerability Reserved
Jul 19, 2023

Credit

Miguel Santareno

WPScan