Elementor Website Builder Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Elementor Website Builder plugin for WordPress, affecting versions through 4.0.4. The issue arises from inadequate input sanitization when handling form-encoded REST API requests. The plugin registers the '_elementor_data' meta field to be accessible via the REST API but fails to include a proper sanitization callback. Instead, it relies on a filter that only processes JSON-encoded data. As a result, when a contributor-level user sends a form-encoded PATCH request, the data is not sanitized before being saved, allowing for the injection of malicious scripts that are executed when the page is accessed.

Impact

Exploitation of this vulnerability allows authenticated users with contributor-level access to inject and execute arbitrary scripts on the site.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access can send a form-encoded PATCH request to the WordPress REST API. The request must include the '_elementor_data' meta field with unsanitized data, such as a script tag. Once the request is processed, the injected script will be executed when the page is viewed.

Remediation

Users can update the Elementor Website Builder plugin to version 4.0.5 or later, where this vulnerability has been addressed.