CVE-2021-24206 in Elementor Website Builder Plugininfo

Summary

by MITRE • 04/06/2021

In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/10/2021

The vulnerability CVE-2021-24206 affects the Elementor Website Builder WordPress plugin version 3.1.3 and earlier, representing a critical cross-site scripting flaw that enables unauthorized execution of malicious JavaScript code. This vulnerability specifically resides within the image box widget implementation found in includes/widgets/image-box.php, where the plugin fails to properly sanitize user input despite implementing what appears to be a controlled list of allowed HTML tags for the title_size parameter. The flaw stems from insufficient input validation and output escaping mechanisms that permit malicious actors with Contributor or higher privileges to inject arbitrary JavaScript code through the save_builder API endpoint.

The technical exploitation of this vulnerability occurs when an attacker with appropriate permissions crafts a malicious request containing JavaScript within the title_size parameter of the save_builder endpoint. The plugin's validation logic incorrectly assumes that restricting the allowed HTML tags through a predefined list is sufficient protection, while failing to implement proper sanitization or escaping of the parameter values before output rendering. This oversight creates a persistent XSS vector that executes whenever the compromised page is viewed or previewed by any user, including administrators who may inadvertently access the malicious content. The vulnerability is particularly concerning because it operates within the WordPress plugin ecosystem where contributors typically possess significant privileges to modify website content.

From an operational perspective, this vulnerability poses severe risks to WordPress websites utilizing Elementor, as it allows attackers to execute arbitrary JavaScript code in the context of the victim's browser. The impact extends beyond simple data theft or defacement, potentially enabling session hijacking, credential theft, or the delivery of additional malware payloads. The vulnerability's exploitation requires minimal privileges, making it particularly dangerous in environments where multiple users have contributor-level access to content management systems. The persistent nature of the attack means that once a page is compromised, the malicious code executes every time the page is loaded, creating a long-term threat vector that can remain undetected for extended periods.

Organizations should immediately update to Elementor plugin version 3.1.4 or later to remediate this vulnerability, as it represents a critical security risk that can lead to complete compromise of affected websites. The fix implemented by the vendor addresses the core sanitization issue by properly escaping and validating the title_size parameter before output rendering. Additional mitigations include implementing proper access controls to limit contributor privileges, monitoring for unusual save_builder requests, and conducting regular security audits of WordPress plugins. This vulnerability aligns with CWE-79 (Cross-site Scripting) and maps to ATT&CK technique T1566 (Phishing) and T1059 (Command and Scripting Interpreter) when exploited for persistent access and command execution within compromised web environments.

Reservation

01/14/2021

Disclosure

04/06/2021

Moderation

accepted

CPE

ready

EPSS

0.00746

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!