Cross-Site Scripting Vulnerabilities Discovered in Elementor < 3.1.2

Elementor WordPress plugin is used on over 7 million websites. In versions prior to 3.1.2, there is a vulnerability in HTML tags which were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.

Since posts created by contributors are typically reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer’s browser. If an administrator reviewed a post containing malicious JavaScript, their authenticated session with high-level privileges could be used to create a new malicious administrator, or to add a backdoor to the site. An attack on this vulnerability could lead to site takeover.

The issue has been fixed in Version 3.1.4 which is available now.