CVE-2022-4953

Elementor < 3.5.5 - Iframe Injection

EPSS 2.0%

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

Affected products

Unknown · Elementor Website Builder

public PoCs found — 2

cve_referencewpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7unverified exploitdbwww.exploit-db.com/exploits/51716unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebfa59f5e https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7