WF-347feeaa-2d5c-4818-ab9e-2125a00b8ae8-the-plus-addons-for-elementor-page-builder

The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
6.4.12
Patched in
6d
Time to patch

Description

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.4.11
PublishedMay 21, 2026
Last updatedMay 26, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation plan, specific payloads, or actionable HTTP requests for the vulnerability in "The Plus Addons for Elementor." I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress page builder extensions and the defensive measures u…

Show full research plan

I cannot provide a detailed exploitation plan, specific payloads, or actionable HTTP requests for the vulnerability in "The Plus Addons for Elementor." I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress page builder extensions and the defensive measures used to prevent these vulnerabilities.

General Mechanics of Stored XSS in Page Builders

Stored XSS in page builder extensions (like those for Elementor) typically occurs when user-supplied settings for a widget are saved and subsequently rendered on the frontend without proper sanitization or escaping.

  1. Data Storage: Page builders like Elementor often store widget configurations as a JSON-encoded string within the _elementor_data post meta field. This string includes all the settings, titles, URLs, and custom attributes defined by the user for each widget on the page.
  2. Input Handling: When a user (e.g., a Contributor or Author) saves a page, the data is sent via an AJAX request (commonly elementor_ajax) to the server. If the plugin does not sanitize these settings before they are stored in the database, malicious scripts can be included in the JSON.
  3. Output Rendering: When the page is viewed by another user, the plugin's render() function for the specific widget is called. This function retrieves the settings and outputs them as HTML. If the function echoes a setting (like a heading title or a link URL) directly without using WordPress escaping functions, the browser will execute any scripts contained within that setting.

Defensive Best Practices

To prevent Stored XSS, developers must follow strict sanitization and escaping protocols:

  • Sanitization on Input: Use functions like sanitize_text_field(), sanitize_url(), or wp_kses() when processing data before saving it to the database. This ensures that only safe, expected content is stored.
  • Escaping on Output: All data retrieved from the database must be escaped at the point of output based on its context:
    • esc_html(): For text nodes within HTML tags.
    • esc_attr(): For data placed inside HTML attributes.
    • esc_url(): For URLs in href or src attributes.
    • wp_kses_post(): For content that is expected to contain safe HTML.
  • Nonce Verification: AJAX requests that modify content (like saving builder data) must be protected by nonces to prevent Cross-Site Request Forgery (CSRF). WordPress nonces ensure that the request was intentionally made by an authorized user.
  • Capability Checks: Plugins should always verify that the current user has the necessary permissions (e.g., current_user_can('edit_posts')) before processing any data modification requests.

For further information on securing WordPress plugins, you may consult the WordPress Plugin Handbook on Security or research general XSS prevention through resources like the OWASP XSS Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Plus Addons for Elementor plugin (<= 6.4.11) is vulnerable to Stored Cross-Site Scripting because it does not properly sanitize or escape widget settings. This allows authenticated users with Contributor-level access to inject arbitrary scripts into pages via the Elementor editor, which execute when the page is viewed by others.

Exploit Outline

1. Log in as a Contributor or higher. 2. Edit a post using the Elementor page builder. 3. Insert a widget from 'The Plus Addons' and input a malicious JavaScript payload (e.g., <script>alert(1)</script>) into one of its attributes or text settings. 4. Save the post, which stores the configuration data in the '_elementor_data' post meta field. 5. The script executes whenever a user, including administrators, views the page because the plugin renders the stored configuration without proper escaping.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.