[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fNGhCMqwiilKIAG_UrSTh8YFwpBEwOOuQyMxvEV2nM7E":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"WF-f80af397-72d5-4446-b43f-3be26657b73e-animation-addons-for-elementor","animation-addons-for-elementor-gsap-motion-elementor-addons-website-templates-authenticated-contributor-stored-cross-sit-2","Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates \u003C= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","animation-addons-for-elementor",null,"\u003C=2.6.3","2.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 00:00:00","2026-06-01 16:29:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff80af397-72d5-4446-b43f-3be26657b73e?source=api-prod",7,[22,23,24,25,26,27,28,29],"animation-addons-for-elementor.php","assets\u002Fcss\u002Fwidgets\u002Floop-grid.css","assets\u002Fcss\u002Fwidgets\u002Floop-grid.min.css","assets\u002Fsrc\u002Fscss\u002Fwidgets\u002Floop-grid.scss","changelog.txt","class-plugin.php","config.php","inc\u002FAAE_Post_Handler_Trait.php","researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in the **Animation Addons for Elementor** plugin (\u003C= 2.6.3). The vulnerability arises from the plugin's failure to escape post-related data (specifically titles) when rendered through its Elementor widgets.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated (Contributor+) Stored Cross-Site Scripting\n*   **Location:** `inc\u002FAAE_Post_Handler_Trait.php` within the `render_title()` and `wcf_wrap_first_n_words()` functions.\n*   **Cause:** The plugin retrieves post titles using `get_the_title()` and processes them through `wcf_wrap_first_n_words()`. This function wraps parts of the title in a `\u003Cspan>` tag but returns the raw, unescaped string, which is then echoed directly to the page.\n*   **Impact:** A user with Contributor-level permissions can create a post with a malicious title containing JavaScript. When an administrator or any visitor views a page where an Animation Addons widget (like \"Post Grid\" or \"Loop Grid\") displays that post, the script executes in their browser context.\n\n### 2. Attack Vector Analysis\n*   **Entry Point:** WordPress Post Title.\n*   **Vulnerable Parameter:** `post_title`.\n*   **Authentication Level:** Contributor or higher (anyone capable of creating\u002Fediting posts).\n*   **Preconditions:** The site must have at least one page using an Animation Addons widget that renders post titles (e.g., `Loop Grid`, `Post Grid`).\n\n### 3. Code Flow\n1.  **Source:** A Contributor creates\u002Fedits a post. The malicious payload is saved in the `wp_posts` table under `post_title`.\n2.  **Sink Path:**\n    *   An Elementor widget using the `AAE_Post_Handler_Trait` (e.g., a Post Grid widget) is rendered on the frontend.\n    *   The widget calls `$this->render_title()` (defined in `inc\u002FAAE_Post_Handler_Trait.php`).\n    *   Inside `render_title()`, the code fetches the title: `$title = $this->trim_words( get_the_title(), $max_length );`.\n    *   It then calls `echo $this->wcf_wrap_first_n_words( $title, $highlight_title_length );`.\n    *   **The Sink:** `wcf_wrap_first_n_words()` (also in `inc\u002FAAE_Post_Handler_Trait.php`) manipulates the string and returns it:\n        ```php\n        return '\u003Cspan class=\"' . $class . '\">' . $text . '\u003C\u002Fspan>';\n        ```\n    *   Because `$text` (the title) is never passed through `esc_html()`, the payload is executed.\n\n### 4. Nonce Acquisition Strategy\nThis exploit leverages the standard WordPress post creation\u002Fediting mechanism. No plugin-specific AJAX nonces are required for the primary payload injection via the post title.\n\nHowever, if the environment requires extracting a nonce to verify widget rendering or to interact with the Elementor Editor (if the Contributor is editing a page directly), the following applies:\n*   **Variable Name:** `WCF_Addons_Editor` (found in `class-plugin.php`).\n*   **Nonce Key:** `_wpnonce`.\n*   **Extraction Method:**\n    1. Create a page: `wp post create --post_type=page --post_status=publish --post_content='[any_shortcode]'`\n    2. Navigate to the editor for that page.\n    3. Run: `browser_eval(\"window.WCF_Addons_Editor?._wpnonce\")`.\n\n### 5. Exploitation Strategy\n1.  **Log in as Contributor.**\n2.  **Create a Malicious Post:** Use the `http_request` tool to create a post with a script payload in the title.\n3.  **Ensure Rendering:** Use the `wp-cli` to ensure at least one page exists that contains an Animation Addons widget.\n4.  **Trigger Execution:** Access the page as an Admin user.\n\n#### Payload Request\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=editpost&post_ID=[POST_ID]&post_title=Test \u003Cimg src=x onerror=alert(document.domain)>&post_status=publish\n```\n\n### 6. Test Data Setup\n1.  **User:** A user with the `contributor` role.\n2.  **Vulnerable Post:** A post created by the contributor with the payload: `\">\u003Cscript>alert('XSS')\u003C\u002Fscript>`.\n3.  **Display Page:** A published page containing an Animation Addons widget that renders recent posts. \n    *   *Note:* If no such page exists, create one via WP-CLI using a known widget slug from `config.php` (e.g., a Post Grid or Loop Grid).\n\n### 7. Expected Results\n*   When viewing the page containing the widget, the browser should render:\n    `\u003Cspan class=\"highlight\">Test \u003Cimg src=x onerror=alert(document.domain)>\u003C\u002Fspan>`\n*   The `onerror` event will trigger, and an alert box displaying the document domain will appear.\n\n### 8. Verification Steps\n1.  **Check Database:** `wp db query \"SELECT post_title FROM wp_posts WHERE post_title LIKE '%\u003Cimg%'\"`.\n2.  **Inspect Response:** Use `http_request` (GET) to the page and verify that the raw payload string exists inside a `\u003Cspan>` tag with the class `wcf-post-title`.\n\n### 9. Alternative Approaches\n*   **Read More XSS:** The `render_read_more()` function uses `wp_kses_post( $read_more )`. While `wp_kses_post` is generally safe, it allows some HTML. Check if attributes or specific tags can be abused if the Contributor can modify the widget settings directly within Elementor.\n*   **Widget Settings:** If a Contributor has access to the Elementor editor, they can inject payloads into widget-specific controls (e.g., \"Image Box Title\"). If these are rendered via a similar path without `esc_html`, they are equally vulnerable. Look for the `render()` method in the widget classes (e.g., `WCF_ADDONS\\Widgets\\Image_Box`).","The Animation Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via post titles rendered in various Elementor widgets. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into post titles, which are then rendered and executed without escaping when viewed by other users, including administrators.","\u002F\u002F inc\u002FAAE_Post_Handler_Trait.php\n\nfunction wcf_wrap_first_n_words( $text, $n, $class = 'highlight' ) {\n    \u002F\u002F Split the text into an array of words\n    $words = explode( ' ', $text );\n    \u002F\u002F Check if the text has enough words to wrap\n    if ( count( $words ) >= $n ) {\n        \u002F\u002F Extract the first N words and wrap them in a span tag\n        $wrapped_words   = array_slice( $words, 0, $n );\n        $remaining_words = array_slice( $words, $n );\n        \u002F\u002F Create the wrapped portion\n        $wrapped = '\u003Cspan class=\"' . $class . '\">' . implode( ' ', $wrapped_words ) . '\u003C\u002Fspan>';\n\n        \u002F\u002F Combine the wrapped portion with the remaining words\n        return $wrapped . ' ' . implode( ' ', $remaining_words );\n    }\n\n    \u002F\u002F If there are fewer words than N, wrap the whole text\n    return '\u003Cspan class=\"' . $class . '\">' . $text . '\u003C\u002Fspan>';\n}\n\n---\n\n\u002F\u002F inc\u002FAAE_Post_Handler_Trait.php line 51\n$title                  = $this->trim_words( get_the_title(), $max_length );\n$highlight_title_length = (int) $this->get_settings( 'highlight_title_length' );\n\necho $this->wcf_wrap_first_n_words( $title, $highlight_title_length ); \u002F\u002F Wrap first 2 words","--- a\u002Finc\u002FAAE_Post_Handler_Trait.php\n+++ b\u002Finc\u002FAAE_Post_Handler_Trait.php\n@@ -24,11 +24,11 @@\n \t\t\t$wrapped_words   = array_slice( $words, 0, $n );\n \t\t\t$remaining_words = array_slice( $words, $n );\n \t\t\t\u002F\u002F Create the wrapped portion\n-\t\t\t$wrapped = '\u003Cspan class=\"' . $class . '\">' . implode( ' ', $wrapped_words ) . '\u003C\u002Fspan>';\n+\t\t\t$wrapped = '\u003Cspan class=\"' . esc_attr( $class ) . '\">' . esc_html( implode( ' ', $wrapped_words ) ) . '\u003C\u002Fspan>';\n \n \t\t\t\u002F\u002F Combine the wrapped portion with the remaining words\n-\t\t\treturn $wrapped . ' ' . implode( ' ', $remaining_words );\n+\t\t\treturn $wrapped . ' ' . esc_html( implode( ' ', $remaining_words ) );\n \t\t}\n \n \t\t\u002F\u002F If there are fewer words than N, wrap the whole text\n-\t\treturn '\u003Cspan class=\"' . $class . '\">' . $text . '\u003C\u002Fspan>';\n+\t\treturn '\u003Cspan class=\"' . esc_attr( $class ) . '\">' . esc_html( $text ) . '\u003C\u002Fspan>';\n \t}","The exploit is achieved by an authenticated user (Contributor or higher) following these steps:\n1. Log in to the WordPress admin dashboard and create a new post.\n2. Set the post title to a malicious JavaScript payload (e.g., `\">\u003Cimg src=x onerror=alert(1)>`).\n3. Publish or save the post.\n4. Ensure there is a page on the site utilizing an Animation Addons widget that renders recent posts (such as a Post Grid, Loop Grid, or Archive widget).\n5. When an administrator or any other user views the page containing the widget, the plugin calls `wcf_wrap_first_n_words()` via `AAE_Post_Handler_Trait`, which returns the unescaped payload wrapped in a `\u003Cspan>` tag. The payload is then echoed directly into the page content, triggering the execution of the script in the victim's browser.","gemini-3-flash-preview","2026-06-04 20:34:42","2026-06-04 20:36:15",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags"]