CVE-2021-42360

Name of the Vulnerable Software and Affected Versions WordPress (affected versions not specified)

Description The issue allows users with the edit posts capability to import blocks onto any page using the "astra-page-elementor-batch-process" AJAX action. An attacker can craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to "astra-page-elementor-batch-process" and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite. Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.