CVE-2022-4953

2023-08-1420:15:10

[email protected]

web.nvd.nist.gov

cve-2022-4953

elementor

website builder

wordpress

plugin

security vulnerability

injection

rogue iframes

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.5%

JSON

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

Affected configurations

Vulners

NVD

Node

elementorwebsite_builderRange<3.5.5

VendorProductVersionCPE
elementorwebsite_builder*cpe:2.3:a:elementor:website_builder:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
elementor	website_builder	*	cpe:2.3:a:elementor:website_builder::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Elementor Website Builder",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.5.5"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]