WF-9b633f24-4818-43cb-89f7-7d6caf84499b-animation-addons-for-elementor

Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.6.4
Patched in
7d
Time to patch

Description

The Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.6.3
PublishedMay 26, 2026
Last updatedJune 1, 2026

What Changed in the Fix

Changes introduced in v2.6.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: Stored XSS in Animation Addons for Elementor (v2.6.3) ## 1. Vulnerability Summary The **Animation Addons for Elementor** plugin for WordPress is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)** in versions up to and including 2.6.3. The vulnerability…

Show full research plan

Research Plan: Stored XSS in Animation Addons for Elementor (v2.6.3)

1. Vulnerability Summary

The Animation Addons for Elementor plugin for WordPress is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) in versions up to and including 2.6.3. The vulnerability exists due to insufficient input sanitization and output escaping within its Elementor widgets. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript into widget settings (like titles, labels, or custom text), which is then stored in the post's metadata and executed in the browser of any user who visits the affected page.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API (/wp-json/elementor/v1/update-post/<post_id>) used by Elementor.
  • Hook/Action: The render() method of various Elementor widgets (e.g., aae-dual-color-heading, aae-animated-heading).
  • Vulnerable Parameter: Widget settings such as title_1, title_2, or main_title.
  • Authentication: Authenticated user with Contributor role (can create and edit their own posts).
  • Preconditions: Elementor plugin must be active alongside Animation Addons for Elementor.

3. Code Flow

  1. Entry Point: A Contributor user edits a post with Elementor and adds a
Research Findings
Static analysis — not yet PoC-verified

Summary

The Animation Addons for Elementor plugin is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. An attacker with Contributor-level permissions can inject arbitrary JavaScript into widget settings or post attributes (like titles) which are then rendered on the front-end without proper security processing.

Vulnerable Code

// inc/AAE_Post_Handler_Trait.php line 14
trait AAE_Post_Handler_Trait {


	function wcf_wrap_first_n_words( $text, $n, $class = 'highlight' ) {
		// Split the text into an array of words
		$words = explode( ' ', $text );
		// Check if the text has enough words to wrap
		if ( count( $words ) >= $n ) {
			// Extract the first N words and wrap them in a span tag
			$wrapped_words   = array_slice( $words, 0, $n );
			$remaining_words = array_slice( $words, $n );
			// Create the wrapped portion
			$wrapped = '<span class="' . $class . '">' . implode( ' ', $wrapped_words ) . '</span>';

			// Combine the wrapped portion with the remaining words
			return $wrapped . ' ' . implode( ' ', $remaining_words );
		}

		// If there are fewer words than N, wrap the whole text
		return '<span class="' . $class . '">' . $text . '</span>';
	}

	function render_title() {
        // ... (lines 32-42)
					$title                  = $this->trim_words( get_the_title(), $max_length );
					$highlight_title_length = (int) $this->get_settings( 'highlight_title_length' );

					echo $this->wcf_wrap_first_n_words( $title, $highlight_title_length ); // Wrap first 2 words

				} else {
					the_title();
				}
        // ...
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/animation-addons-for-elementor/2.6.3/animation-addons-for-elementor.php /home/deploy/wp-safety.org/data/plugin-versions/animation-addons-for-elementor/2.6.4/animation-addons-for-elementor.php
--- /home/deploy/wp-safety.org/data/plugin-versions/animation-addons-for-elementor/2.6.3/animation-addons-for-elementor.php	2026-04-21 04:57:22.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/animation-addons-for-elementor/2.6.4/animation-addons-for-elementor.php	2026-05-05 08:53:12.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name:                Animation Addons
  * Description:                Animation Addons for Elementor comes with GSAP Animation Builder, Customizable Widgets, Header Footer, Single Post, Archive Page Builder, and more.
  * Plugin URI:                 https://animation-addons.com/
- * Version:                    2.6.3
+ * Version:                    2.6.4
  * Author:                     Wealcoder
  * Author URI:                 https://animation-addons.com/
  * License:                    GPL v2 or later
@@ -29,7 +29,7 @@
 	/**
 	 * Plugin Version.
 	 */
-	define( 'WCF_ADDONS_VERSION', '2.6.3' );
+	define( 'WCF_ADDONS_VERSION', '2.6.4' );
 }
 if ( ! defined( 'WCF_ADDONS_FILE' ) ) {
 	/**
@@ -93,7 +93,7 @@
 	 * @since 1.0.0
 	 * @var string The plugin version.
 	 */
-	const VERSION = '2.6.3';
+	const VERSION = '2.6.4';

Exploit Outline

1. Authenticate as a user with Contributor-level permissions (the ability to create or edit their own posts/pages). 2. Create a new post and set the Title field to a malicious JavaScript payload, such as `<script>alert("XSS")</script>`. 3. Create or edit a page using the Elementor editor and add a widget from the Animation Addons collection that displays post titles (e.g., Loop Grid, Archive Post, or Dual Color Heading). 4. In the widget settings, ensure it is configured to display the malicious post title created in step 2. 5. Save the page and view it on the front-end; the unsanitized post title is echoed by the `AAE_Post_Handler_Trait` logic, causing the script to execute in the victim's browser.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.