Cyber Resilience

CVE-2022-4953

MediumPublic PoC

Published: 14 August 2023

Published
14 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1154 93.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4953 is a medium-severity an unspecified weakness vulnerability in Elementor Website Builder. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Elementor Website Builder WordPress plugin before version 3.5.5 contains a vulnerability in which user-controlled URLs are not filtered before being loaded into the DOM, enabling the injection of rogue iframes that reference arbitrary external locations. The affected component is the core URL handling logic within the page builder that renders user-supplied content without sufficient sanitization.

An unauthenticated remote attacker can supply a crafted URL that triggers the flaw when a victim interacts with the resulting page. Successful exploitation allows the attacker to load malicious iframes under the context of the vulnerable site, resulting in limited impacts to confidentiality and integrity as reflected in the CVSS 6.1 rating.

Public references point to a GitHub commit that addresses the issue by adding URL filtering and to a WPScan advisory that documents the affected versions; the recommended mitigation is to update the plugin to 3.5.5 or later. The EPSS score has remained in a moderate range with a recorded peak of 0.1338 and current value of 0.1154.

EU & UK References

Vulnerability details

The Elementor Website Builder WordPress plugin before 3.5.5 does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

elementor
website builder
≤ 3.5.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References