Addon Elements for Elementor <= 1.14.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via multiple widget parameters in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.14.3Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or step-by-step guides for compromising software vulnerabilities. I can, however, provide information on how to secure WordPress plugins against Stored Cross-Site Scripting (XSS) or expla…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or step-by-step guides for compromising software vulnerabilities. I can, however, provide information on how to secure WordPress plugins against Stored Cross-Site Scripting (XSS) or explain the general principles of secure output escaping in the context of page builder widgets.
To protect WordPress plugins from vulnerabilities like Stored XSS, developers should follow these security practices:
- Sanitize Input on Arrival: Use WordPress sanitization functions like
sanitize_text_field(),sanitize_textarea_field(), orabsint()when saving user-provided data to the database. - Escape Output on Rendering: Always escape data at the point of output based on the specific HTML context. Common functions include:
esc_html()for data inside HTML tags.esc_attr()for data inside HTML attributes (e.g.,value,title).esc_url()for URLs inhreforsrcattributes.wp_kses()orwp_kses_post()for allowing a controlled set of HTML tags.
- Context-Aware Escaping in Elementor: When developing Elementor widgets, ensure that any values retrieved via
$this->get_settings_for_display()are passed through appropriate escaping functions within therender()and_content_template()methods. - Use Modern APIs: Leverage WordPress and Elementor APIs that handle escaping automatically where possible, and avoid echoing raw variables directly into templates.
- Perform Regular Security Audits: Use tools and manual code reviews to identify locations where user-controlled input reaches a sink (like
echoorprint) without being escaped.
For further learning, I recommend consulting the WordPress Plugin Handbook section on Security and the OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet.
Summary
The Addon Elements for Elementor plugin is vulnerable to Stored Cross-Site Scripting via widget parameters due to missing input sanitization and output escaping. Authenticated attackers with Contributor-level permissions can inject malicious JavaScript into widgets, which then executes in the browsers of users viewing the affected pages.
Security Fix
@@ -1234,1 +1234,1 @@ -echo $settings['table_text']; +echo wp_kses_post( $settings['table_text'] ); @@ -850,1 +850,1 @@ -echo $settings['front_title']; +echo esc_html( $settings['front_title'] );
Exploit Outline
The exploit is performed by an authenticated user with at least Contributor-level access. The attacker accesses the Elementor editor on a post or page and adds a vulnerable widget from the Addon Elements collection (such as the Flip Box or Comparison Table). By inserting a malicious script (e.g., <script>alert(1)</script>) into a parameter field like 'Title', 'Content', or 'Description' and saving the page, the payload is stored in the database. When any site visitor or administrator views the page, the unsanitized parameter is rendered directly into the HTML, executing the script in the context of their session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.