CVE-2021-42360 Starter Templates — Elementor, Gutenberg & Beaver Builder Templates <= 2.7.0 Authenticated Block Import to Stored XSS

2021-11-1717:45:46

CWE-284

CWE-79

CWE-99

Wordfence

www.cve.org

cve-2021-42360

elementor

gutenberg

beaver builder

stored xss

authenticated block import

CVSS3

7.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

EPSS

0.001

Percentile

24.8%

JSON

On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

CNA Affected

[
  {
    "platforms": [
      "WordPress"
    ],
    "product": "Starter Templates — Elementor, Gutenberg & Beaver Builder Templates",
    "vendor": "BrainStormForce",
    "versions": [
      {
        "lessThanOrEqual": "2.7.0",
        "status": "affected",
        "version": "2.7.0",
        "versionType": "custom"
      }
    ]
  }
]