Vulnerability Description
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elementor | Website Builder | < 3.1.4 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2dExploitThird Party Advisory
- https://www.jbelamor.com/xss-elementor-lightox.htmlExploitThird Party Advisory
- https://wpscan.com/vulnerability/fbed0daa-007d-4f91-8d87-4bca7781de2dExploitThird Party Advisory
- https://www.jbelamor.com/xss-elementor-lightox.htmlExploitThird Party Advisory
FAQ
What is CVE-2021-24891?
CVE-2021-24891 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
How severe is CVE-2021-24891?
CVE-2021-24891 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24891?
Check the references section above for vendor advisories and patch information. Affected products include: Elementor Website Builder.