Elementor < 3.5.5 - Iframe Injection

Vulnerability

The Elementor Website Builder WordPress plugin versions before 3.5.5 fail to validate user-controlled URLs before loading them into the DOM via the lightbox feature. Specifically, the assets/dev/js/frontend/utils/lightbox.js file did not restrict the URL provider to only known video platforms (YouTube, Vimeo), allowing arbitrary URLs to be passed to an iframe element [1]. This affects all versions prior to 3.5.5.

Exploitation

An attacker can supply a crafted URL (e.g., via a post or page content) that, when a user clicks to open the lightbox, loads an iframe pointing to a malicious external site. No authentication is required if the attacker can inject content (e.g., as a contributor or via a compromised account). The vulnerability is triggered when the lightbox attempts to render a video from an unregistered provider, which previously would create an iframe with the attacker-controlled URL [1][2].

Impact

Successful exploitation allows an attacker to inject arbitrary iframes into the page, potentially leading to cross-frame scripting (XFS) attacks. This could be used to display phishing content, load malware, or perform clickjacking. The impact is limited to the context of the user's browser session and the permissions of the WordPress site.

Mitigation

The vulnerability is fixed in Elementor version 3.5.5, released on 2023-07-19 [2]. Users should update to 3.5.5 or later. No workaround is available for earlier versions. The fix adds a check that only allows iframes for known video providers (YouTube and Vimeo) and returns early for any other URL [1].