Reflected Cross-Site Scripting Vulnerability in Elementor Website Builder Plugin
CVE-2024-0506

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Elementor Website Builder – More than Just a Page Builder
Vendor
CVE Published:
29 February 2024

Summary

The Elementor Website Builder plugin for WordPress is susceptible to a Reflected Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping in the get_image_alt function. This affects all versions up to and including 3.18.3. Authenticated attackers with contributor access can exploit this vulnerability to inject arbitrary web scripts into webpages, which can execute when users are tricked into clicking malicious links.

Affected Version(s)

Elementor Website Builder – More than Just a Page Builder * <= 3.18.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/elementor/tags...
https://plugins.trac.wordpress.org/browser/elementor/tags...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.