CVE-2021-24203

Name of the Vulnerable Software and Affected Versions: Elementor Website Builder WordPress plugin versions prior to 3.1.4

Description: The issue allows a user with Contributor or above permissions to execute JavaScript code when a saved page is viewed or previewed. This is achieved by sending a modified 'save builder' request with the html tag parameter set to 'script' and the text parameter containing JavaScript. The element control lists a fixed set of possible html tags, but it is still possible to exploit this issue.

Recommendations: For Elementor Website Builder WordPress plugin versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting the html tag parameter in the divider widget to prevent it from being set to 'script' until a patch is applied. Additionally, restrict access to the 'save builder' request to minimize the risk of exploitation.