CVE-2022-4953

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
elementorwebsite_builder
𝑥
< 3.5.5
𝑥
= Vulnerable software versions
References
https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebfa59f5e
https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7
https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebfa59f5e
https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7