Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveWordfenceCVE-2021-42360
HistoryNov 17, 2021 - 6:15 p.m.

CVE-2021-42360

2021-11-1718:15:08
CWE-99
CWE-284
CWE-79
Wordfence
web.nvd.nist.gov
26
cve-2021-42360
elementor
wordpress
security vulnerability
remote attack
block import
javascript execution

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

Affected configurations

Nvd
Vulners
Node
brainstormforcestarter_templatesRange2.7.0wordpress
VendorProductVersionCPE
brainstormforcestarter_templates*cpe:2.3:a:brainstormforce:starter_templates:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "platforms": [
      "WordPress"
    ],
    "product": "Starter Templates — Elementor, Gutenberg & Beaver Builder Templates",
    "vendor": "BrainStormForce",
    "versions": [
      {
        "lessThanOrEqual": "2.7.0",
        "status": "affected",
        "version": "2.7.0",
        "versionType": "custom"
      }
    ]
  }
]

Related

openvas 1
cvelist 1
nvd 1
prion 1
cnvd 1
wpvulndb 1
wordfence 1
patchstack 1
openvas
openvas
WordPress Starter Templates Plugin < 2.7.1 XSS Vulnerability
2021-12-06 00:00:00
cvelist
cvelist
CVE-2021-42360 Starter Templates — Elementor, Gutenberg & Beaver Builder Templates <= 2.7.0 Authenticated Block Import to Stored XSS
2021-11-17 17:45:46
nvd
nvd
CVE-2021-42360
2021-11-17 18:15:08
prion
prion
Design/Logic Flaw
2021-11-17 18:15:00
cnvd
cnvd
WordPress Elementor Plugin Cross-Site Scripting Vulnerability (CNVD-2021-93366)
2021-11-21 00:00:00
wpvulndb
wpvulndb
Starter Templates < 2.7.1 - Contributor+ Block Import to Stored XSS
2021-11-11 00:00:00
wordfence
wordfence
Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin
2021-11-11 15:01:24
patchstack
patchstack
WordPress Starter Templates plugin <= 2.7.0 - Authenticated Block Import leading to Stored Cross-Site Scripting (XSS) vulnerability
2021-11-11 00:00:00

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON
Related for CVE-2021-42360
openvas1cvelist1nvd1prion1cnvd1wpvulndb1wordfence1patchstack1