CVE-2022-29455

Name of the Vulnerable Software and Affected Versions Elementor Website Builder plugin versions prior to 3.5.6

Description The issue is related to insufficient protection of the webpage structure, allowing a remote attacker to perform cross-site scripting. This is a DOM-based Reflected Cross-Site Scripting (XSS) vulnerability. It is estimated that over 6.5 million websites are potentially affected. The vulnerability can be exploited by manipulating the settings parameter in the /wp-content/plugins/elementor/assets/js/frontend.min.js endpoint, specifically using the elementor-action with action=lightbox and crafted settings to inject malicious scripts.

Recommendations For Elementor Website Builder plugin versions prior to 3.5.6, update the plugin to a version newer than 3.5.5 to resolve the issue. As a temporary workaround, consider restricting access to the /wp-content/plugins/elementor/assets/js/frontend.min.js endpoint until a patch is applied. Avoid using the settings parameter in the affected endpoint until the issue is resolved.