Elementor Github

Preface: As part of our standard business practice, we endeavor to provide our penetration testers research time to develop tools, discover exploits and contribute to the community with the aim to stay ahead of the game.We always follow responsible disclosure guidelines!
  1. Elementor Code Github
  2. Github Website Builder
  3. Elementor Master Github

Elementor Code Github

Make Elementor the Default Editor, Not the WordPress Editor (Gutenberg or Classic) GitHub Instantly share code, notes, and snippets.


Github Website Builder

  1. Elementor General discussion and Chat area, talk about everything new or up and coming, while you can discuss possible feature requests and ideas, please use the official route for feature requests: Elementor Github.
  2. The Elementor plugin is widely used and is pretty awesome for rapidly prototyping varied pages with a nice drag and drop design method. You can have a look at the.
  3. Visit the official Developer Resources to learn how to extend Elementor. Get Involved Visit Elementor GitHub repository to contribute code or suggest new ideas.
  4. Elementor Website Builder comes with an exclusive toolset, that lets you create a truly responsive website in a whole new and visual way. From different font size, padding and margin per device, to reverse column ordering, this is the most powerful mobile site builder for creating perfect responsive websites. 40+ free widgets and counting.

During my monthly downtime I like to go bug hunting in WordPress plugins. Not because I am a malicious neer-do-well, but because WordPress now makes up over 30% of websites! Often plugins for WordPress contain security flaws that go unnoticed and and proceed to be installed on a multitude of sites which can be a serious issue.

WordPress is used by small businesses, enterprises and this blog. Therefore it seems appropriate that we could contribute to identifying risks.

Plugin Choice

The Elementor plugin is widely used and is pretty awesome for rapidly prototyping varied pages with a nice drag and drop design method. You can have a look at the plugin here:

The Identification

With the huge usage of the Elementor plugin (over 3 million installs) I put some time into investigating this in more depth.

View the profiles of people named Anthony Vivaldi. Join Facebook to connect with Anthony Vivaldi and others you may know. Facebook gives people the power. Antonio vivaldi notable works. View the profiles of people named Anthony M Vivaldi. Join Facebook to connect with Anthony M Vivaldi and others you may know. Facebook gives people the.

The plugin seems to be very well implemented but there is always a sneaky XSS somewhere. So in comes Burp Suite’s intruder dropping a whole heap of payloads into every dynamic part of the application….and….bingo!

The Exploit

Ok, so the “alert(1)” payload worked, it popped up my alert box as expected, however I wanted to try to get something that was more like an actual attack vector, thus I began to try the variations of document.cookie.

So trying the standard:

.and nope…sanitized.

Bypassing Sanitization

The next attempt is to try using an accessor instead:

…and again.still nothing.

Ok, so lets try and host the script on another system and see if I can use the XSS to call my script from elsewhere (actual hostnames and IPs redacted).

Unfortunately not, it seems spaces are also changed to underscores.

Ok, well there is a good trick to use the “form feed” character URL encoded (%0c) which should bypass that.

Ok, so that bypassed the issue with spaces, but we are getting some nasty URL encoded values rendered that are not going to pop this XSS.

However, I did notice that because the first “script src=” was being rendered, it was actually trying to call the remote script. However, this was not a valid URL by any means due to the inability to close off the script tags.

So I need to find a way to call my remote host correctly. Well a little while ago I had read a great post on using different variations on an IP address (octal, decimal and hex etc) that mean we can call the remote location without entering anything that looks like a URL.

Found Here
Article: XSS Without Dots

So a payload was built using this format that looked like the following (the redacted IP address is just in hexadecimal for this post):

Elementor Github

This would point to a remote server that simply had “alert(document.cookie)” in the index.html file.

Hmm, still getting issues with the URL encoding. Well lets try and sort that out by URL encoding this payload.


Final Thoughts / Remediation

Whilst this XSS was not a particularly difficult one to find, it had some nuances that made it awkward to find the right working payload. Persistence and a couple of hours free time were enough to get this working nicely.

The developers of Elementor were contacted prior to this post to ensure they had adequate time to remediate the issue. This has now been fixed with some extra sanitization.

If you are using Elementor 2.8.4 or below, please update now to the latest version!



Hosting free Elementor modern fully responsive WordPress theme. Perfect minimal style template for your next project. Free Elementor templates Drag and Drop WordPress page builder. Elementor plugin help you build elementor templates for business and agency. Hosting fully responsive WordPress free Elementor template with WooCommerce build in store Drag and Drop page builder. Multipurpose is modern and professional template for business and agency. Join 5,000,000+ Users That Enjoy The Free & Easy Way To Design WordPress Websites. Best Free WordPress Hosting Themes to open your online hosting business and host your clients websites in 2020

Required Plugins: Download Here

Download Elementor

Free Hosting IT Elementor Documentation

Elementor Documentation Setup

We built Elementor Templates with the designer in mind, to create a page builder that enables designers to reach high-end premium designs, without having to use CSS or code

Elementor includes many useful widgets, that have been custom made to work inside the live page builder. From changing the overlay of button colors to controlling the spacing inside the progress bar, there are endless design possibilities to explore.

The term ‘responsive design’ has been worn out, but Elementor lives up to the promise, with device preview screens, percentage based element widths and device visibility control.

Elementor offers developers the freedom to customize and extend it and can become a useful plugin for developers that don’t want to be chained to a theme.

Use Elementor with your favorite or customized theme. Change themes and still keep all your designs. Landing pages, homepages, posts, portfolios, products. Elementor can be used to design any page or custom post type on WordPress.

Elementor Github

Column & Content Position


Elementor Master Github

With Elementor, you can position the column on the top, center, and bottom of a section, or stretch it out across the entire section. You can also position the content within the column in the same manner. This unique feature gives you the freedom to create a design that is far more customized.