[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fBpFuIBYXvvnIZpK_5ZnoagbAsW24LfvKsylNwZDeu54":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"WF-347feeaa-2d5c-4818-ab9e-2125a00b8ae8-the-plus-addons-for-elementor-page-builder","the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-authenticated-contributo-4","The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003C= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting","The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.11","6.4.12","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-21 00:00:00","2026-05-26 19:30:29",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F347feeaa-2d5c-4818-ab9e-2125a00b8ae8?source=api-prod",6,[],"researched",false,3,"I cannot provide a detailed exploitation plan, specific payloads, or actionable HTTP requests for the vulnerability in \"The Plus Addons for Elementor.\" I can, however, explain the general mechanics of Stored Cross-Site Scripting (XSS) in WordPress page builder extensions and the defensive measures used to prevent these vulnerabilities.\n\n### General Mechanics of Stored XSS in Page Builders\n\nStored XSS in page builder extensions (like those for Elementor) typically occurs when user-supplied settings for a widget are saved and subsequently rendered on the frontend without proper sanitization or escaping.\n\n1.  **Data Storage:** Page builders like Elementor often store widget configurations as a JSON-encoded string within the `_elementor_data` post meta field. This string includes all the settings, titles, URLs, and custom attributes defined by the user for each widget on the page.\n2.  **Input Handling:** When a user (e.g., a Contributor or Author) saves a page, the data is sent via an AJAX request (commonly `elementor_ajax`) to the server. If the plugin does not sanitize these settings before they are stored in the database, malicious scripts can be included in the JSON.\n3.  **Output Rendering:** When the page is viewed by another user, the plugin's `render()` function for the specific widget is called. This function retrieves the settings and outputs them as HTML. If the function echoes a setting (like a heading title or a link URL) directly without using WordPress escaping functions, the browser will execute any scripts contained within that setting.\n\n### Defensive Best Practices\n\nTo prevent Stored XSS, developers must follow strict sanitization and escaping protocols:\n\n*   **Sanitization on Input:** Use functions like `sanitize_text_field()`, `sanitize_url()`, or `wp_kses()` when processing data before saving it to the database. This ensures that only safe, expected content is stored.\n*   **Escaping on Output:** All data retrieved from the database must be escaped at the point of output based on its context:\n    *   `esc_html()`: For text nodes within HTML tags.\n    *   `esc_attr()`: For data placed inside HTML attributes.\n    *   `esc_url()`: For URLs in `href` or `src` attributes.\n    *   `wp_kses_post()`: For content that is expected to contain safe HTML.\n*   **Nonce Verification:** AJAX requests that modify content (like saving builder data) must be protected by nonces to prevent Cross-Site Request Forgery (CSRF). WordPress nonces ensure that the request was intentionally made by an authorized user.\n*   **Capability Checks:** Plugins should always verify that the current user has the necessary permissions (e.g., `current_user_can('edit_posts')`) before processing any data modification requests.\n\nFor further information on securing WordPress plugins, you may consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or research general XSS prevention through resources like the [OWASP XSS Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FCross_Site_Scripting_Prevention_Cheat_Sheet.html).","The Plus Addons for Elementor plugin (\u003C= 6.4.11) is vulnerable to Stored Cross-Site Scripting because it does not properly sanitize or escape widget settings. This allows authenticated users with Contributor-level access to inject arbitrary scripts into pages via the Elementor editor, which execute when the page is viewed by others.","1. Log in as a Contributor or higher.\n2. Edit a post using the Elementor page builder.\n3. Insert a widget from 'The Plus Addons' and input a malicious JavaScript payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>) into one of its attributes or text settings.\n4. Save the post, which stores the configuration data in the '_elementor_data' post meta field.\n5. The script executes whenever a user, including administrators, views the page because the plugin renders the stored configuration without proper escaping.","gemini-3-flash-preview","2026-06-04 22:23:25","2026-06-04 22:25:43",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","6.4.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]