Tag: 2022

Elementor < 3.4.8 – DOM Cross-Site-Scripting

The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0. The base64 string is an encoded JSON with the following structure: This vulnerability has been fixed in the version 3.1.4.…

November 21, 2022
CVE-2022-3360 – Unauthenticated PHP Object Injection via REST API

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a…

November 21, 2022

Elementor < 3.4.8 – DOM Cross-Site-Scripting