0.002 Low
EPSS
Percentile
53.2%
Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings;=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K
github.com/elementor/elementor/commit/292fc49e0f979bd52d838f0326d1faaebfa59f5e