Website Builder
CVE-2024-0506
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $instance[alt] parameter in the get_image_alt function in all versions up to, and including, 3.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AnalysisAI
The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $instance[alt] parameter in the get_image_alt function in. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Elementor Website Builder - More than Just a Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $instance[alt] parameter in the get_image_alt function in all versions up to, and including, 3.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Affected products include: Elementor Website Builder.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Website Builder
View allUnrestricted Upload of File with Dangerous Type vulnerability in Elementor.Com Elementor Website Builder.3.0 through 3.1
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due t
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor.Com Elem
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL param
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. Rated medium se
The Elementor Website Builder - More than Just a Page Builder Pro plugin for WordPress is vulnerable to Stored Cross-Sit
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in
DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 ve
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM v
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template. R
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) ac
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) acce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today