CVE-2021-24204 in Elementor Website Builder Plugininfo

Summary

by MITRE • 04/06/2021

In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/10/2021

The vulnerability identified as CVE-2021-24204 resides within the Elementor Website Builder WordPress plugin, specifically affecting versions prior to 3.1.4. This issue represents a classic cross-site scripting vulnerability that exploits improper input validation and output escaping mechanisms within the plugin's accordion widget implementation. The flaw manifests in the includes/widgets/accordion.php file where the 'title_html_tag' parameter is processed without adequate sanitization, creating a pathway for malicious code injection.

The technical flaw stems from the plugin's failure to properly validate and sanitize user-supplied input parameters within the accordion widget functionality. While the element control does define a limited set of acceptable HTML tags, the implementation does not enforce strict validation of the 'title_html_tag' parameter. Users with Contributor level permissions or higher can manipulate the 'save_builder' request to include JavaScript code within the title_html_tag parameter. This oversight allows attackers to bypass the intended security controls and inject malicious scripts that are subsequently executed in the context of the victim's browser.

The operational impact of this vulnerability is significant as it enables persistent cross-site scripting attacks against websites using the affected Elementor plugin version. When an attacker successfully injects JavaScript code through the title_html_tag parameter, the malicious script executes whenever the affected page is viewed or previewed by any user, including administrators. This creates a persistent threat vector that can be exploited for session hijacking, data theft, or redirection to malicious sites. The vulnerability affects not only the immediate user experience but also represents a potential gateway for more sophisticated attacks targeting the entire website infrastructure.

This vulnerability aligns with CWE-79, which describes Cross-Site Scripting (XSS) flaws, and demonstrates how improper input validation can lead to code execution in web applications. The attack pattern follows the typical exploitation methodology outlined in the MITRE ATT&CK framework under the T1059.001 technique for Command and Scripting Interpreter, where attackers leverage web application vulnerabilities to execute malicious code. The privilege escalation aspect of this vulnerability, requiring only Contributor permissions, makes it particularly concerning as it can be exploited by users who do not typically have elevated access rights. Organizations should implement immediate mitigations including updating to Elementor plugin version 3.1.4 or later, implementing proper input validation, and employing Content Security Policy headers to limit script execution. Additionally, administrators should review user permissions and consider implementing additional security measures such as web application firewalls to detect and prevent such injection attempts.

Reservation

01/14/2021

Disclosure

04/06/2021

Moderation

accepted

CPE

ready

EPSS

0.00746

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!