CVE-2021-24204

Name of the Vulnerable Software and Affected Versions: Elementor Website Builder WordPress plugin versions prior to 3.1.4

Description: The issue concerns the accordion widget in the Elementor Website Builder WordPress plugin. A user with Contributor or above permissions can send a modified 'save builder' request containing JavaScript in the title html tag parameter. This JavaScript is not filtered and is output without escaping, allowing it to be executed when the saved page is viewed or previewed.

Recommendations: For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the accordion widget for users with Contributor or above permissions until the update is applied. Additionally, avoid using the title html tag parameter in the affected accordion widget until the issue is resolved.