CVE-2021-24201

CVE-2021-24201: Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Column Element

Vendor Unknown

Product Elementor Website Builder

Weakness CWE-79 · XSS

Published April 5, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘html_tag’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

Key dates

02Disclosure timeline

April 5, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24201 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2015-20114 RealtyScript 4.0.2 Cross-Site Scripting via Multiple Parameters CVE-2023-3884 Campcodes Beauty Salon Management System edit_product.php cross site scripting CVE-2024-47096 Reflected Cross-Site Scripting in Follet School Solutions Destiny CVE-2023-45630 WordPress Responsive Image Gallery, Gallery Album Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS) CVE-2025-6550 The Pack Elementor addon <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting