CVE-2021-24201: 
WordPress vulnerability analysis and mitigation

CVE-2021-24201 is a Cross-Site Scripting (XSS) vulnerability discovered in the Elementor Website Builder WordPress plugin versions before 3.1.4. The vulnerability was identified on January 14, 2021, and publicly disclosed on March 17, 2021. The issue affects the column element functionality in the plugin, specifically impacting websites using vulnerable versions of Elementor, which had over 7 million installations at the time of discovery (WPScan).

The vulnerability exists in the column element (includes/elements/column.php) which accepts an 'htmltag' parameter. While the element control specifies a fixed set of possible HTML tags, users with Contributor or higher permissions can bypass this restriction by sending a modified 'savebuilder' request containing JavaScript in the 'html_tag' parameter. The critical issue is that this parameter is neither filtered nor properly escaped before output. The vulnerability has been assigned a CVSS score of 6.4 (medium) and is classified as CWE-79 (WPScan).

When exploited, this vulnerability allows authenticated users with Contributor or higher permissions to inject malicious JavaScript code that executes when the affected page is viewed or previewed by other users. This creates a stored XSS condition that could potentially affect all visitors to the compromised page (WPScan).

The vulnerability was patched in Elementor version 3.1.4. Website administrators using affected versions should update to version 3.1.4 or later to mitigate this security risk (WPScan).