[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuaBKsZ1FLb_WOqMErIcQ9MmR-opgeLXXKbCbjRX1C4Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-39597","wpzoom-addons-for-elementor-starter-templates-widgets-reflected-cross-site-scripting","WPZOOM Addons for Elementor – Starter Templates & Widgets \u003C= 1.3.4 - Reflected Cross-Site Scripting","The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","wpzoom-elementor-addons",null,"\u003C=1.3.4","1.3.5","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-16 00:00:00","2026-04-21 14:58:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc66f1633-5563-4deb-b315-79b4b9e17a95?source=api-prod",6,[22,23,24,25,26],"includes\u002Fwidgets\u002Fportfolio-reel\u002Fportfolio-reel.php","includes\u002Fwidgets\u002Fslider-pro\u002Fslider-pro.php","includes\u002Fwpzoom-elementor-ajax-posts-grid.php","readme.txt","wpzoom-elementor-addons.php","researched",false,3,"# Research Plan: CVE-2026-39597 - WPZOOM Addons for Elementor Reflected XSS\n\n## 1. Vulnerability Summary\nThe **WPZOOM Addons for Elementor – Starter Templates & Widgets** plugin (versions \u003C= 1.3.4) is vulnerable to Reflected Cross-Site Scripting (XSS) via the `wpz_posts_grid_load_more` AJAX action. The vulnerability exists in the `WPZOOM_Elementor_Ajax_Post_Grid` class where the `title_tag` parameter, provided within a JSON-encoded `posts_data` POST parameter, is reflected into the page without sufficient sanitization or attribute escaping. Specifically, the value is used as an HTML tag name, allowing an attacker to inject attributes like `onerror`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wpz_posts_grid_load_more`\n- **Vulnerable Parameter**: `posts_data[title_tag]`\n- **Authentication**: Unauthenticated (available via `wp_ajax_nopriv_wpz_posts_grid_load_more`).\n- **Preconditions**: \n 1. A valid WordPress nonce for the action `wpz_posts_grid_load_more`.\n 2. At least one published post must exist so that the `WP_Query` returns results, triggering the rendering logic.\n- **Payload Type**: Reflected (via POST request).\n\n## 3. Code Flow\n1. **Entry Point**: The `ajax_post_grid_load_more()` function in `includes\u002Fwpzoom-elementor-ajax-posts-grid.php` is triggered by the AJAX action.\n2. **Input Handling**:\n - The `nonce` is verified (Line 72).\n - `$_POST['posts_data']` is passed through `sanitize_text_field()` and then `json_decode()` (Lines 74-75).\n - The resulting array is stored in `self::$settings` (Line 77).\n3. **Execution Path**:\n - A `WP_Query` is executed based on other parameters in `$data`","The plugin is vulnerable to unauthenticated Reflected Cross-Site Scripting (XSS) via the 'wpz_posts_grid_load_more' AJAX action. This occurs because the 'title_tag' parameter within the JSON-encoded 'posts_data' POST parameter is reflected into the page as an HTML tag name without validation or escaping.","\u002F\u002F includes\u002Fwpzoom-elementor-ajax-posts-grid.php line 204\n\tprotected function render_title() {\t\n\t\t$settings = $this->get_settings();\n\n\t\t$show_title = $settings[ 'show_title' ];\n\n\t\tif ( 'yes' !== $show_title ) {\n\t\t\treturn;\n\t\t}\n\n\t\t$title_tag = $settings[ 'title_tag' ];\n\t\t\t\n\t\t?>\n\t\t\u003C\u003C?php echo $title_tag; \u002F\u002F WPCS: XSS OK. ?> class=\"title\">\n\t\t\t\u003Ca href=\"\u003C?php the_permalink(); ?>\" title=\"\u003C?php echo esc_attr( get_the_title() ); ?>\">\u003C?php the_title(); ?>\u003C\u002Fa>\n\t\t\u003C\u002F\u003C?php echo $title_tag; \u002F\u002F WPCS: XSS OK. ?>>\n\t\t\u003C?php\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwidgets\u002Fportfolio-reel\u002Fportfolio-reel.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwidgets\u002Fportfolio-reel\u002Fportfolio-reel.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwidgets\u002Fportfolio-reel\u002Fportfolio-reel.php\t2026-02-13 13:48:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwidgets\u002Fportfolio-reel\u002Fportfolio-reel.php\t2026-02-23 15:59:50.000000000 +0000\n@@ -1743,7 +1743,7 @@\n \n \u003C?php if ( $popup_video_type === 'self_hosted' && $is_video_popup_self_hosted ): ?>\n \u003Cdiv id=\"zoom-popup-\u003C?php echo the_ID(); ?>\" class=\"animated slow mfp-hide\"\n- data-src=\"\u003C?php echo $popup_self_hosted_src; ?>\">\n+ data-src=\"\u003C?php echo esc_url( $popup_self_hosted_src ); ?>\">\n \u003Cdiv class=\"mfp-iframe-scaler\">\n \u003C?php\n echo wp_video_shortcode(\n@@ -1771,12 +1771,12 @@\n \u003Ca class=\"reel_video_item\" href=\"\u003C?php echo esc_url( get_permalink() ); ?>\" title=\"\u003C?php echo esc_attr( get_the_title() ); ?>\">\n \u003C?php if($has_video_popup): ?>\n \u003Cdiv class=\"entry-thumbnail-popover\u003C?php if ($lightbox_open_thumb) { ?> lightbox_open_full\u003C?php } ?>\">\n- \u003Cdiv class=\"entry-thumbnail-popover-content popover-content--animated\" data-show-caption=\"\u003C?php echo $show_popup_caption ?>\">\n+ \u003Cdiv class=\"entry-thumbnail-popover-content popover-content--animated\" data-show-caption=\"\u003C?php echo esc_attr( $show_popup_caption ); ?>\">\n \u003C?php if ( $popup_video_type === 'self_hosted' && $is_video_popup_self_hosted ): ?>\n \u003Cspan href=\"#zoom-popup-\u003C?php echo the_ID(); ?>\" class=\"mfp-inline portfolio-popup-video\">\u003C\u002Fspan>\n \u003C?php elseif ( $popup_video_type === 'external_hosted' && ! empty( $portfolio_video_popup_url ) ): ?>\n \u003Cspan class=\"mfp-iframe portfolio-popup-video\"\n- href=\"\u003C?php echo $portfolio_video_popup_url; ?>\">\u003C\u002Fspan>\n+ href=\"\u003C?php echo esc_url( $portfolio_video_popup_url ); ?>\">\u003C\u002Fspan>\n \u003C?php endif; ?>\n \u003C\u002Fdiv>\n \u003C\u002Fdiv>\n@@ -1833,11 +1833,11 @@\n \n \u003Cul>\n \u003C?php if ($enable_director_name && $video_director) { ?>\n- \u003Cli>\u003C?php echo $video_director; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_director ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ($enable_year && $video_year) { ?>\n- \u003Cli>\u003C?php echo $video_year; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_year ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ( $enable_category ) : ?>\u003Cli>\n@@ -1869,11 +1869,11 @@\n \n \u003Cul>\n \u003C?php if ($enable_director_name && $video_director) { ?>\n- \u003Cli>\u003C?php echo $video_director; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_director ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ($enable_year && $video_year) { ?>\n- \u003Cli>\u003C?php echo $video_year; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_year ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ( $enable_category ) : ?>\u003Cli>\n@@ -1907,11 +1907,11 @@\n \n \u003Cul>\n \u003C?php if ($enable_director_name && $video_director) { ?>\n- \u003Cli>\u003C?php echo $video_director; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_director ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ($enable_year && $video_year) { ?>\n- \u003Cli>\u003C?php echo $video_year; ?>\u003C\u002Fli>\n+ \u003Cli>\u003C?php echo esc_html( $video_year ); ?>\u003C\u002Fli>\n \u003C?php } ?>\n \n \u003C?php if ( $enable_category ) : ?>\u003Cli>\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwidgets\u002Fslider-pro\u002Fslider-pro.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwidgets\u002Fslider-pro\u002Fslider-pro.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwidgets\u002Fslider-pro\u002Fslider-pro.php\t2025-06-12 19:59:44.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwidgets\u002Fslider-pro\u002Fslider-pro.php\t2026-02-23 15:59:50.000000000 +0000\n@@ -1131,7 +1131,7 @@\n \u003Ca href=\"#zoom-popup-\u003C?php echo get_the_ID(); ?>\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' data-popup-type=\"inline\" class=\"popup-video\" aria-label=\"Watch Video\">\u003C\u002Fa>\n \n \u003C?php elseif(!empty($video_background_popup_url)): ?>\n- \u003Ca data-popup-type=\"iframe\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' class=\"popup-video animated slow pulse\" href=\"\u003C?php echo $video_background_popup_url ?>\" aria-label=\"Watch Video\">\u003C\u002Fa>\n+ \u003Ca data-popup-type=\"iframe\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' class=\"popup-video animated slow pulse\" href=\"\u003C?php echo esc_url( $video_background_popup_url ); ?>\" aria-label=\"Watch Video\">\u003C\u002Fa>\n \u003C?php endif; ?>\n \n \u003C?php } \u002F* End Inspiro PRO markup *\u002F ?>\n@@ -1174,7 +1174,7 @@\n if( ( 'inspiro' === $current_theme && class_exists( 'WPZOOM' ) && $align_vertical != 'bottom' ) || ( 'wpzoom-inspiro-pro' === $current_theme && $align == 'center' ) ) {\n \t\t\t\t\t\t\t\t?>\n \u003C?php if($popup_video_type === 'self_hosted' && $is_video_popup): ?>\n- \u003Cdiv id=\"zoom-popup-\u003C?php echo get_the_ID(); ?>\" class=\"animated slow mfp-hide\" data-src =\"\u003C?php echo $popup_final_external_src ?>\">\n+ \u003Cdiv id=\"zoom-popup-\u003C?php echo get_the_ID(); ?>\" class=\"animated slow mfp-hide\" data-src =\"\u003C?php echo esc_url( $popup_final_external_src ); ?>\">\n \n \u003Cdiv class=\"mfp-iframe-scaler\">\n \n@@ -1192,7 +1192,7 @@\n \u003Ca href=\"#zoom-popup-\u003C?php echo get_the_ID(); ?>\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' data-popup-type=\"inline\" class=\"popup-video\" aria-label=\"Watch Video\">\u003C\u002Fa>\n \n \u003C?php elseif(!empty($video_background_popup_url)): ?>\n- \u003Ca data-popup-type=\"iframe\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' class=\"popup-video animated slow pulse\" href=\"\u003C?php echo $video_background_popup_url ?>\" aria-label=\"Watch Video\">\u003C\u002Fa>\n+ \u003Ca data-popup-type=\"iframe\" data-popup-video-options='\u003C?php echo json_encode( $encode_lightbox_video_opts ); ?>' class=\"popup-video animated slow pulse\" href=\"\u003C?php echo esc_url( $video_background_popup_url ); ?>\" aria-label=\"Watch Video\">\u003C\u002Fa>\n \u003C?php endif; ?>\n \n \u003C?php } \u002F* End Inspiro Premium markup *\u002F ?>\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwpzoom-elementor-ajax-posts-grid.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwpzoom-elementor-ajax-posts-grid.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.4\u002Fincludes\u002Fwpzoom-elementor-ajax-posts-grid.php\t2026-02-10 20:54:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwpzoom-elementor-addons\u002F1.3.5\u002Fincludes\u002Fwpzoom-elementor-ajax-posts-grid.php\t2026-02-23 15:59:50.000000000 +0000\n@@ -210,8 +210,8 @@\n \t\t\treturn;\n \t\t}\n \n-\t\t$title_tag = $settings[ 'title_tag' ];\n-\t\t\t\n+\t\t$title_tag = \\Elementor\\Utils::validate_html_tag( $settings[ 'title_tag' ] );\n+\n \t\t?>\n \t\t\u003C\u003C?php echo $title_tag; \u002F\u002F WPCS: XSS OK. ?> class=\"title\">\n \t\t\t\u003Ca href=\"\u003C?php the_permalink(); ?>\" title=\"\u003C?php echo esc_attr( get_the_title() ); ?>\">\u003C?php the_title(); ?>\u003C\u002Fa>","The exploit targets the 'wpz_posts_grid_load_more' AJAX action via the \u002Fwp-admin\u002Fadmin-ajax.php endpoint. An attacker sends a POST request with the 'action' set to 'wpz_posts_grid_load_more', a valid 'nonce', and a 'posts_data' parameter containing a JSON-encoded object. By setting the 'title_tag' key within this JSON object to a malicious payload (e.g., 'img src=x onerror=alert(1)'), the plugin renders the string directly as an HTML tag name when iterating through posts. Because the action is hooked to 'wp_ajax_nopriv_', it is accessible to unauthenticated attackers, provided they can obtain a valid nonce through social engineering or other means.","gemini-3-flash-preview","2026-04-27 14:33:21","2026-04-27 14:34:12",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.3.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpzoom-elementor-addons\u002Ftags\u002F1.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpzoom-elementor-addons.1.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpzoom-elementor-addons\u002Ftags\u002F1.3.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwpzoom-elementor-addons.1.3.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwpzoom-elementor-addons\u002Ftags"]