CVE-2022-4953

moderate-risk
Published 2023-08-14

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

Do I need to act?

!
13.4% chance of exploitation in next 30 days
EPSS score — higher than 87% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
51716
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Elementor

References (4)

Patch https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebf...
Exploit https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7
Patch https://github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebf...
Exploit https://wpscan.com/vulnerability/8273357e-f9e1-44bc-8082-8faab838eda7
40
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 12/34 · Low
Exposure 5/34 · Minimal