According to research, WordPress is in use by 43.2% of all websites on the internet in 2022. Developing WordPress websites is easy and plugins make it easier by providing more flexible options and feasibility. Elementor is marketed as the #1 free WordPress website builder. From the official WordPress plugins website, Elementor is THE #1 WEB CREATION PLATFORM, POWERING OVER 10M WEBSITES WORLDWIDE. Elementor Unauthenticated DOM XSS triggers XSS by just visiting a URL.
Elementor is WordPress’s leading website-building platform, enabling web creators to build professional, pixel-perfect websites with an intuitive visual builder. It facilitates the quickly creating of amazing websites for your clients or business with complete control over every piece, without writing a single line of code.
Statistics
Elementor is the leading platform powering over 10M websites. It is being actively maintained and updated. It has over 5 Million active installations to date.
CVE-2021-24891
The Elementor Website Builder WordPress plugin prior to version 3.1.4 does not sanitize or escape the user input appended to the DOM via a malicious hash, resulting in a DOM-based Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability maps to CVE-2021-24891.
This exploit adds the user’s javascript payload in the DOM (Document Object Model) of the web page. Upon execution, payload reflects in the code and user can see the pop up.
Due to so many active installations and bug hunters looking for ways to pop up alert boxes as a proof of concept to get reward in bounties, this CVE is quite interesting.
DOM XSS
DOM XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval()
or innerHTML
. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users’ accounts.
To deliver a DOM-based XSS attack, you need to place data into a source so that it propagates to a sink and causes the execution of arbitrary JavaScript.
The most common source for DOM XSS is the URL, which is typically accessed with the window.location
object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. In certain circumstances, such as when targeting a 404 page or a website running PHP, the path can also contain the payload if it’s reflecting on the page.
Lab Demo
For the demonstration, I will use Pentester Academy’s Lab on ELementor CVE-2021-24891.
Go to the lab and run the server which will provide you with the lab link. Navigating to the lab link will provide you with a Kali Linux GUI Instance
as below

From the instructions, the target server has the same IP as that of Kali IP in range 192.X.Y.Z with 3 in place of Z. So, we check the Kali IP using ifconfig
command as below

Kali instance has IP 192.254.43.2. Therefore, the target server’s IP will be 192.254.43.3.
nmap Scan
Now that we have the target IP, we run nmap scan against the IP as below

It is clear from the scan that WordPress served on Apache is running at the target on port 80. Also, the instructions mention that the target WordPress website is accessible through http://demo.ine.local.
Website Enumeration
Open the browser and navigate to http://demo.ine.local or 192.254.43.3, you will see the following WordPress site

The site has 3 total pages. We examine each page and look into the source code of each one. While investigating the page source for INE Testimonial
page, it shows the older version (3.1.3) of elementor plugin is in use. The latest version of elementor is 3.7.2.

Alternatively, you can use wpscan
tool to look for the plugin versions installed on the website using the following command
wpscan --url http://demo.ine.local
Exploit
Looking for Elementor 3.1.3 exploits provides DOM Reflected XSS exploit. This exploit was discovered by Joel Belena
. You can read the actual hunting of this vulnerability and hence the exploit here. The vulnerability exists in the frontend.min.js file where the specific JS functions show the data according to the type. If type is not among video, image, and slideshow, the HTMLcontent of modal changes to the user’s JSON html. The details explain that to exploit this vulnerability, it needs a web page using Elementor or Elementor Pro running the JavaScript file “fronten.min.js” with a version higher than 1.5 and lower than 3.1.4.
The vulnerable resource is #elementor-action:action=lightbox&settings= and the payload will be in base64 as a value for the settings variable. The base64 string is an encoded JSON with the following structure
{
"type":"null",
"html":"<script>alert('XSS By Jawad')</script>"
}
Inside the JSON object, “html” will contain the payload. After injecting the payload, convert the JSON object to base64 and attach it to the aforementioned URL.
So the base64 encoded value of above JSON object will be
eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWRRdzR3OVdnWGNRIn0=
Accordingly, the new URL will be
http://demo.ine.local/ine-testimonials#elementor-action:action=lightbox&settings=eyJ0eXBlIjoibnVsbCIsImh0bWwiOiI8c2NyaXB0PmFsZXJ0KCdYU1MgQnkgSmF3YWQnKTwvc2NyaXB0PiJ9
Now by just visiting this URL, you can see XSS pop up as below

Impact
This is just a pop up but an attacker can use this exploit to serve malicious purpose. But the attacker could craft a special payload that would steal cookies and send the new URL to admin. Eventually, if the admin is logged in and accesses the page, the cookies will be stolen. Using those cookies, the attacker can gain access to the full admin panel of the website and many more.
Other potential attacks are
- Redirecting to some other website
- Defacing the website
- Run crypto miners utilizing user’s resources
Elementor being widely in use, it is still possible to have old versions running on websites to exploit this DOM XSS vulnerability.
Remediation
This vulnerability has been fixed in the version 3.1.4. Therefore, if you are using elementor to build your site, I would recommend you to upgrade to the last version.
Leave a Reply