The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Elementor Website Builder plugin for WordPress versions up to 4.0.4 contains a Stored Cross-Site Scripting vulnerability in the _elementor_data meta field due to insufficient input sanitization on form-encoded REST API requests. Authenticated contributors can inject malicious scripts that are stored and executed when the page is viewed, potentially compromising website integrity and user data.
يحتوي مكون Elementor Website Builder للإصدارات حتى 4.0.4 على ثغرة Stored XSS في حقل _elementor_data Meta بسبب عدم كفاية تنظيف المدخلات عند معالجة طلبات REST API المشفرة بالنموذج. يمكن للمساهمين المصرح لهم حقن برامج نصية ضارة يتم تخزينها وتنفيذها عند عرض الصفحة.
Elementor Website Builder plugin for WordPress versions up to 4.0.4 contains a Stored Cross-Site Scripting vulnerability in the _elementor_data meta field due to insufficient input sanitization on form-encoded REST API requests. Authenticated contributors can inject malicious scripts that are stored and executed when the page is viewed, potentially compromising website integrity and user data.
Update Elementor Website Builder plugin to version 4.0.5 or later immediately. Implement strict input validation and sanitization for all REST API endpoints. Apply the sanitize_callback parameter to all meta fields exposed via REST API. Review and restrict contributor permissions to prevent unauthorized REST API access. Monitor for suspicious REST API requests with form-encoded payloads targeting the _elementor_data field.
قم بتحديث مكون Elementor Website Builder إلى الإصدار 4.0.5 أو أحدث فوراً. طبق التحقق الصارم من المدخلات والتنظيف لجميع نقاط نهاية REST API. طبق معامل sanitize_callback على جميع حقول Meta المكشوفة عبر REST API. راجع وقيد صلاحيات المساهمين لمنع الوصول غير المصرح به إلى REST API. راقب طلبات REST API المريبة ذات الحمولات المشفرة بالنموذج التي تستهدف حقل _elementor_data.