[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fox3QxP5H2zVB1jN3Jv-ogInR2XcRNBj4NkluFtolCWI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"WF-0114a028-42ef-4668-815f-d62494565116-the-plus-addons-for-elementor-page-builder","the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-authenticated-contributo-3","The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003C= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting","The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.11","6.4.12","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-21 00:00:00","2026-06-01 16:34:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0114a028-42ef-4668-815f-d62494565116?source=api-prod",12,[],"researched",false,3,"This research plan outlines the technical requirements and steps to demonstrate a Stored Cross-Site Scripting (XSS) vulnerability in \"The Plus Addons for Elementor\" (versions \u003C= 6.4.11). This vulnerability allows Contributor-level users to inject malicious scripts into pages, which then execute in the context of any user (including Administrators) viewing those pages.\n\n### 1. Vulnerability Summary\n*   **Vulnerability Name:** The Plus Addons for Elementor Stored XSS\n*   **Vulnerability Type:** Improper Neutralization of Input During Web Page Generation (Stored XSS)\n*   **Vulnerability Component:** Various widgets and the \"Plus Extra Attributes\" feature.\n*   **Root Cause:** The plugin fails to sanitize user-provided input in widget settings (such as IDs, classes, or custom data attributes) and subsequently fails to escape this data when rendering the widget on the frontend using functions like `echo` instead of `esc_attr()`.\n*   **Affected Versions:** \u003C= 6.4.11\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** WordPress REST API (Elementor Editor endpoint) or the standard Post Save mechanism.\n*   **Action\u002FHook:** `wp_ajax_elementor_ajax` or REST routes handled by Elementor's `Editor` class.\n*   **Vulnerable Parameter:** `post_content` (within the JSON-encoded `settings` of a specific \"Plus\" widget or extra attribute).\n*   **Authentication:** Contributor-level access (or higher) is required to edit posts and access the Elementor editor.\n*   **Preconditions:** The \"The Plus Addons for Elementor\" plugin must be active, and the Contributor must have permission to edit the specific post\u002Fpage.\n\n### 3. Code Flow (Inferred)\n1.  **Input:** A Contributor user opens the Elementor editor for a post and adds a widget from \"The Plus Addons\" (e.g., *Heading*, *Button*, or any widget with *Plus Extra Attributes* enabled).\n2.  **Storage:** The user enters a payload (e.g., `\">\u003Cscript>alert(1)\u003C\u002Fscript>`) into a setting field like \"Custom ID\" or a \"Custom Attribute\". Elementor sends this data via a REST API request to save the post metadata.\n3.  **Processing:** The plugin saves these settings into the `_elementor_data` post meta without sanitization.\n4.  **Output (Sink):** When a user views the post, Elementor triggers the `render()` method of the widget class.\n5.  **Vulnerability:** Inside the `render()` method (likely in `includes\u002Fwidgets\u002F` or via a filter in `modules\u002F`), the plugin retrieves the custom attribute and outputs it directly into the HTML:\n    ```php\n    \u002F\u002F Example of vulnerable code pattern\n    $id = $settings['plus_extra_id']; \n    echo '\u003Cdiv id=\"' . $id . '\">'; \u002F\u002F No esc_attr() here\n    ```\n\n### 4. Nonce Acquisition Strategy\nElementor exploitation requires the `wp_rest` nonce for authenticated REST API calls.\n\n1.  **Identify the Trigger:** Elementor's editor needs to be active.\n2.  **Create Test Content:** Create a page and set it to be edited with Elementor.\n    *   `wp post create --post_type=page --post_status=publish --post_title=\"XSS Research\" --post_content=''`\n3.  **Extract Nonce:**\n    *   Navigate to the WordPress dashboard and find the \"Edit with Elementor\" link for the newly created page.\n    *   Navigate to that editor URL using `browser_navigate`.\n    *   Use `browser_eval` to extract the REST nonce from the Elementor configuration object:\n        ```javascript\n        \u002F\u002F Elementor stores the REST nonce in the following location\n        window.elementorCommonConfig?.api_nonce;\n        ```\n    *   If a plugin-specific AJAX nonce is required (for non-Elementor actions), look for:\n        ```javascript\n        window.theplus_ajax_nonce; \u002F\u002F Inferred from common plugin JS localization\n        ```\n\n### 5. Exploitation Strategy\nThe goal is to inject a script into a widget setting that is rendered as an HTML attribute.\n\n**Step-by-Step Plan:**\n\n1.  **Authentication:** Log in as a Contributor user.\n2.  **Capture Editor Context:** Access the Elementor editor for a page to get the `post_id` and the `wp_rest` nonce.\n3.  **Craft Payload:** The payload should break out of an HTML attribute.\n    *   Target Field: `Custom ID` or `Plus Extra Attributes` -> `Attribute Value`.\n    *   Payload: `x\" onmouseover=\"alert(document.domain)\" data-x=\"`\n4.  **Send Update Request:** Use `http_request` to send a `POST` request to the Elementor REST API endpoint to update the post content.\n    *   **URL:** `https:\u002F\u002FTARGET\u002Fwp-json\u002Felementor\u002Fv1\u002Fdata\u002F\u003CPOST_ID>`\n    *   **Method:** `POST`\n    *   **Headers:**\n        *   `Content-Type: application\u002Fjson`\n        *   `X-WP-Nonce: \u003CEXTRACTED_NONCE>`\n    *   **Body:** A JSON structure representing the Elementor widget tree, including the malicious payload in the widget's settings.\n\n### 6. Test Data Setup\n1.  **Plugin Version:** Ensure \"The Plus Addons for Elementor\" v6.4.11 is installed.\n2.  **User:** Create a user with the `contributor` role.\n3.  **Page:** Create a page with the title \"Research Page\" and identify its ID.\n4.  **Enable Features:** Ensure \"Plus Extra Attributes\" is enabled in the plugin's settings (if testing that specific vector).\n\n### 7. Expected Results\n1.  **Response:** The REST API should return a `200 OK` indicating the post was saved.\n2.  **Rendering:** When visiting the page at `https:\u002F\u002FTARGET\u002F?p=\u003CPOST_ID>`, the HTML source should contain the injected payload:\n    ```html\n    \u003Cdiv id=\"x\" onmouseover=\"alert(document.domain)\" data-x=\"\" ...>\n    ```\n3.  **Execution:** Triggering the `onmouseover` event (or using a `\u003Cscript>` tag if the field is echoed outside an attribute) will execute the JavaScript.\n\n### 8. Verification Steps\n1.  **WP-CLI Verification:** Check the post metadata to see the stored payload:\n    *   `wp post meta get \u003CPOST_ID> _elementor_data`\n2.  **Database Check:** Inspect the `wp_postmeta` table directly if needed:\n    *   `wp db query \"SELECT meta_value FROM wp_postmeta WHERE post_id=\u003CPOST_ID> AND meta_key='_elementor_data'\"`\n3.  **Frontend Inspection:** Use `http_request` (GET) on the public page URL and grep for the payload string.\n\n### 9. Alternative Approaches\n*   **Shortcode Vector:** If the Elementor Editor is restricted, attempt to use the plugin's shortcodes in a standard post. If a shortcode attribute like `id` or `class` is vulnerable:\n    *   Payload: `[tp_button id='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n*   **Other Widgets:** The \"Plus Addons\" package contains many widgets. If the \"Heading\" widget is patched, test the \"Accordion\", \"Tabs\", or \"Info Box\" widgets, as the same vulnerable code pattern often replicates across similar components in the same plugin.","The Plus Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting via various widget settings and the 'Plus Extra Attributes' feature. Authenticated users with Contributor-level access can inject malicious JavaScript into fields like custom IDs or attributes, which then executes in the context of any user viewing the affected page.","\u002F\u002F File: includes\u002Fwidgets\u002Fsome-plus-widget.php (approximate)\n\u002F\u002F The plugin fails to escape user-provided settings before outputting them in HTML attributes.\n\npublic function render() {\n    $settings = $this->get_settings_for_display();\n    $custom_id = $settings['plus_extra_id']; \n\n    \u002F\u002F Vulnerable: Outputting raw setting value into the 'id' attribute\n    echo '\u003Cdiv id=\"' . $custom_id . '\" class=\"tp-widget-container\">';\n}\n\n---\n\n\u002F\u002F File: modules\u002Fenqueue\u002Fplus-extra-attributes.php (approximate)\n\u002F\u002F Custom attributes added via the Plus Extra Attributes feature are often concatenated directly.\n\nforeach ( $extra_attributes as $attribute ) {\n    $attr_key = $attribute['attr_key'];\n    $attr_val = $attribute['attr_val'];\n    \n    \u002F\u002F Vulnerable: Direct echo of key\u002Fvalue without sanitization or escaping\n    echo ' ' . $attr_key . '=\"' . $attr_val . '\"';\n}","--- a\u002Fmodules\u002Fwidgets\u002Fsome-plus-widget.php\n+++ b\u002Fmodules\u002Fwidgets\u002Fsome-plus-widget.php\n@@ -10,7 +10,7 @@\n     $settings = $this->get_settings_for_display();\n     $custom_id = $settings['plus_extra_id'];\n-    echo '\u003Cdiv id=\"' . $custom_id . '\" class=\"tp-widget-container\">';\n+    echo '\u003Cdiv id=\"' . esc_attr($custom_id) . '\" class=\"tp-widget-container\">';\n \n--- a\u002Fmodules\u002Fenqueue\u002Fplus-extra-attributes.php\n+++ b\u002Fmodules\u002Fenqueue\u002Fplus-extra-attributes.php\n@@ -15,5 +15,5 @@\n     $attr_key = $attribute['attr_key'];\n     $attr_val = $attribute['attr_val'];\n-    echo ' ' . $attr_key . '=\"' . $attr_val . '\"';\n+    echo ' ' . esc_attr($attr_key) . '=\"' . esc_attr($attr_val) . '\"';","The exploit targets the Elementor Editor REST API endpoint which is accessible to Contributor-level users. \n\n1.  **Authentication**: Log in as a Contributor and access the Elementor editor for a post to obtain the `wp_rest` nonce from the `window.elementorCommonConfig.api_nonce` object.\n2.  **Payload Construction**: Create a JSON payload representing an Elementor widget (e.g., Heading or Button) from 'The Plus Addons'. In the widget's `settings`, inject a malicious payload into a field that generates HTML attributes, such as `plus_extra_id` or `plus_extra_attributes`.\n3.  **Payload Example**: `\"plus_extra_id\": \"x\\\" onmouseover=\\\"alert(document.domain)\\\" data-x=\\\"\"`.\n4.  **Persistence**: Send a `POST` request to `\u002Fwp-json\u002Felementor\u002Fv1\u002Fdata\u002F\u003CPOST_ID>` with the malicious JSON and the `X-WP-Nonce` header.\n5.  **Execution**: When any user (including an Administrator) views the page, the injected attribute breaks out of the intended `id` attribute and adds an event handler, executing the script when the element is interacted with (e.g., hovered).","gemini-3-flash-preview","2026-06-04 22:19:03","2026-06-04 22:21:23",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.4.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]