CVE-2022-4953

2023-08-1420:15:10

Google

osv.dev

elementor

wordpress

plugin

security

dom

injection

iframes

urls

malicious

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.5%

JSON

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

CPENameOperatorVersion
elementoreq3.3.0-beta3
elementoreq3.0.10
elementoreq1.4.3
elementoreq2.0.1
elementoreq0.6.2
elementoreq2.4.7
elementoreq1.8.1
elementoreq3.2.0
elementoreq2.8.4
elementoreq2.5.16

Name	Operator	Version
elementor	eq	3.3.0-beta3
elementor	eq	3.0.10
elementor	eq	1.4.3
elementor	eq	2.0.1
elementor	eq	0.6.2
elementor	eq	2.4.7
elementor	eq	1.8.1
elementor	eq	3.2.0
elementor	eq	2.8.4
elementor	eq	2.5.16