CVE-2021-24206

Name of the Vulnerable Software and Affected Versions: Elementor Website Builder WordPress plugin versions prior to 3.1.4

Description: The issue allows a user with Contributor or above permissions to inject JavaScript into the title size parameter of the image box widget. This JavaScript is not filtered and is output without escaping, leading to its execution when the saved page is viewed or previewed. The element control lists a fixed set of possible HTML tags, but it is still possible to send a modified save builder request containing malicious JavaScript.

Recommendations: For versions prior to 3.1.4, update to version 3.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the image box widget for users with Contributor or above permissions until the update is applied. Avoid using the title size parameter in the affected widget until the issue is resolved.