Website Builder
CVE-2021-24891
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
AnalysisAI
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. Affected products include: Elementor Website Builder. Version information: before 3.4.8.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Website Builder
View allUnrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.3.0 through 3.1
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due t
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elem
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL param
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. Rated medium se
The Elementor Website Builder - More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Sit
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 ve
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template. R
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) ac
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) acce
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) ac
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today