[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fIXycPPP8E3bamMLgE8SOIjsYhrvSGLhul1MzTkTr3uM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"WF-9b633f24-4818-43cb-89f7-7d6caf84499b-animation-addons-for-elementor","animation-addons-for-elementor-gsap-motion-elementor-addons-website-templates-authenticated-contributor-stored-cross-sit","Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates \u003C= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","animation-addons-for-elementor",null,"\u003C=2.6.3","2.6.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-26 00:00:00","2026-06-01 16:29:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9b633f24-4818-43cb-89f7-7d6caf84499b?source=api-prod",7,[22,23,24,25,26,27,28,29],"animation-addons-for-elementor.php","assets\u002Fcss\u002Fwidgets\u002Floop-grid.css","assets\u002Fcss\u002Fwidgets\u002Floop-grid.min.css","assets\u002Fsrc\u002Fscss\u002Fwidgets\u002Floop-grid.scss","changelog.txt","class-plugin.php","config.php","inc\u002FAAE_Post_Handler_Trait.php","researched",false,3,"# Research Plan: Stored XSS in Animation Addons for Elementor (v2.6.3)\n\n## 1. Vulnerability Summary\nThe **Animation Addons for Elementor** plugin for WordPress is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)** in versions up to and including 2.6.3. The vulnerability exists due to insufficient input sanitization and output escaping within its Elementor widgets. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript into widget settings (like titles, labels, or custom text), which is then stored in the post's metadata and executed in the browser of any user who visits the affected page.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress REST API (`\u002Fwp-json\u002Felementor\u002Fv1\u002Fupdate-post\u002F\u003Cpost_id>`) used by Elementor.\n- **Hook\u002FAction**: The `render()` method of various Elementor widgets (e.g., `aae-dual-color-heading`, `aae-animated-heading`).\n- **Vulnerable Parameter**: Widget settings such as `title_1`, `title_2`, or `main_title`.\n- **Authentication**: Authenticated user with **Contributor** role (can create and edit their own posts).\n- **Preconditions**: Elementor plugin must be active alongside Animation Addons for Elementor.\n\n## 3. Code Flow\n1. **Entry Point**: A Contributor user edits a post with Elementor and adds a","The Animation Addons for Elementor plugin is vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping. An attacker with Contributor-level permissions can inject arbitrary JavaScript into widget settings or post attributes (like titles) which are then rendered on the front-end without proper security processing.","\u002F\u002F inc\u002FAAE_Post_Handler_Trait.php line 14\ntrait AAE_Post_Handler_Trait {\n\n\n\tfunction wcf_wrap_first_n_words( $text, $n, $class = 'highlight' ) {\n\t\t\u002F\u002F Split the text into an array of words\n\t\t$words = explode( ' ', $text );\n\t\t\u002F\u002F Check if the text has enough words to wrap\n\t\tif ( count( $words ) >= $n ) {\n\t\t\t\u002F\u002F Extract the first N words and wrap them in a span tag\n\t\t\t$wrapped_words   = array_slice( $words, 0, $n );\n\t\t\t$remaining_words = array_slice( $words, $n );\n\t\t\t\u002F\u002F Create the wrapped portion\n\t\t\t$wrapped = '\u003Cspan class=\"' . $class . '\">' . implode( ' ', $wrapped_words ) . '\u003C\u002Fspan>';\n\n\t\t\t\u002F\u002F Combine the wrapped portion with the remaining words\n\t\t\treturn $wrapped . ' ' . implode( ' ', $remaining_words );\n\t\t}\n\n\t\t\u002F\u002F If there are fewer words than N, wrap the whole text\n\t\treturn '\u003Cspan class=\"' . $class . '\">' . $text . '\u003C\u002Fspan>';\n\t}\n\n\tfunction render_title() {\n        \u002F\u002F ... (lines 32-42)\n\t\t\t\t\t$title                  = $this->trim_words( get_the_title(), $max_length );\n\t\t\t\t\t$highlight_title_length = (int) $this->get_settings( 'highlight_title_length' );\n\n\t\t\t\t\techo $this->wcf_wrap_first_n_words( $title, $highlight_title_length ); \u002F\u002F Wrap first 2 words\n\n\t\t\t\t} else {\n\t\t\t\t\tthe_title();\n\t\t\t\t}\n        \u002F\u002F ...\n    }","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanimation-addons-for-elementor\u002F2.6.3\u002Fanimation-addons-for-elementor.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanimation-addons-for-elementor\u002F2.6.4\u002Fanimation-addons-for-elementor.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanimation-addons-for-elementor\u002F2.6.3\u002Fanimation-addons-for-elementor.php\t2026-04-21 04:57:22.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fanimation-addons-for-elementor\u002F2.6.4\u002Fanimation-addons-for-elementor.php\t2026-05-05 08:53:12.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name:                Animation Addons\n  * Description:                Animation Addons for Elementor comes with GSAP Animation Builder, Customizable Widgets, Header Footer, Single Post, Archive Page Builder, and more.\n  * Plugin URI:                 https:\u002F\u002Fanimation-addons.com\u002F\n- * Version:                    2.6.3\n+ * Version:                    2.6.4\n  * Author:                     Wealcoder\n  * Author URI:                 https:\u002F\u002Fanimation-addons.com\u002F\n  * License:                    GPL v2 or later\n@@ -29,7 +29,7 @@\n \t\u002F**\n \t * Plugin Version.\n \t *\u002F\n-\tdefine( 'WCF_ADDONS_VERSION', '2.6.3' );\n+\tdefine( 'WCF_ADDONS_VERSION', '2.6.4' );\n }\n if ( ! defined( 'WCF_ADDONS_FILE' ) ) {\n \t\u002F**\n@@ -93,7 +93,7 @@\n \t * @since 1.0.0\n \t * @var string The plugin version.\n \t *\u002F\n-\tconst VERSION = '2.6.3';\n+\tconst VERSION = '2.6.4';","1. Authenticate as a user with Contributor-level permissions (the ability to create or edit their own posts\u002Fpages).\n2. Create a new post and set the Title field to a malicious JavaScript payload, such as `\u003Cscript>alert(\"XSS\")\u003C\u002Fscript>`.\n3. Create or edit a page using the Elementor editor and add a widget from the Animation Addons collection that displays post titles (e.g., Loop Grid, Archive Post, or Dual Color Heading).\n4. In the widget settings, ensure it is configured to display the malicious post title created in step 2.\n5. Save the page and view it on the front-end; the unsanitized post title is echoed by the `AAE_Post_Handler_Trait` logic, causing the script to execute in the victim's browser.","gemini-3-flash-preview","2026-06-04 20:32:31","2026-06-04 20:34:09",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.6.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags\u002F2.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fanimation-addons-for-elementor.2.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags"]