CVE-2021-24201 in Elementor Website Builder Plugin
Summary
by MITRE • 04/06/2021
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/10/2021
The vulnerability identified as CVE-2021-24201 affects the Elementor Website Builder WordPress plugin, specifically targeting versions prior to 3.1.4. This issue resides within the column element implementation located in includes/elements/column.php, representing a classic cross-site scripting vulnerability that exploits improper input validation and output escaping mechanisms. The flaw manifests when the plugin processes user-supplied data through the html_tag parameter, which should theoretically be restricted to a predefined set of safe HTML elements but fails to properly sanitize malicious input.
The technical implementation of this vulnerability stems from inadequate parameter validation within the plugin's builder interface. While the element control ostensibly maintains a whitelist of acceptable HTML tags, the system fails to enforce this restriction during the save_builder request processing phase. Users with Contributor level permissions or higher can exploit this weakness by crafting malicious requests that include JavaScript code within the html_tag parameter. This oversight creates a path for privilege escalation through persistent XSS attacks, as the malicious JavaScript code bypasses standard sanitization filters and is directly embedded into the page output.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities through the compromised WordPress site. When administrators or other users view or preview pages containing the maliciously crafted column elements, the embedded JavaScript executes within their browser context, potentially allowing for session hijacking, data exfiltration, or further exploitation of the WordPress environment. The vulnerability's persistence stems from the fact that the malicious code is stored in the page content itself, making it active whenever the page is rendered regardless of user roles or permissions.
This vulnerability aligns with CWE-79 - Cross-site Scripting and maps to ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as attackers can leverage this weakness to deliver malicious payloads through compromised WordPress pages. The security implications are particularly severe given that the vulnerability affects users with Contributor permissions, which is a common role in WordPress installations, making exploitation relatively accessible. Organizations should implement immediate mitigations including updating to Elementor plugin version 3.1.4 or later, implementing additional input validation measures, and conducting security reviews of existing pages that may contain malicious column elements.
The root cause of this vulnerability demonstrates a fundamental flaw in the plugin's security architecture where input validation occurs at the wrong stage of processing. Proper implementation should enforce strict parameter validation during the save_builder request phase rather than relying solely on frontend controls. Security practitioners should consider implementing Content Security Policy headers as additional defense-in-depth measures, while also monitoring for suspicious activity related to page builder modifications and conducting regular security audits of WordPress installations to identify similar vulnerabilities that may exist in other plugins or themes.