CVE-2021-24202
First published: Mon Apr 05 2021(Updated: )
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘title’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elementor Website Builder WordPress | <3.1.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for the Elementor Website Builder WordPress plugin?
The vulnerability ID for the Elementor Website Builder WordPress plugin is CVE-2021-24202.
What is the severity of CVE-2021-24202?
The severity of CVE-2021-24202 is medium with a CVSS score of 5.4.
What is the affected software of CVE-2021-24202?
The affected software of CVE-2021-24202 is Elementor Website Builder WordPress plugin up to version 3.1.4.
What is the CWE category of CVE-2021-24202?
The CWE category of CVE-2021-24202 is CWE-79 (Cross-Site Scripting).
How can I fix CVE-2021-24202 in Elementor Website Builder WordPress plugin?
To fix CVE-2021-24202, update Elementor Website Builder WordPress plugin to version 3.1.4 or higher.
- collector/nvd-index
- vendor/elementor
- product/website builder
- canonical/elementor website builder wordpress