[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuBa5yFKYVXQLFrPAIqvPYgoXMaFqiFygJ_KiZYU6nSQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-11614","xpro-addons-authenticated-author-stored-cross-site-scripting-via-customattributes-parameter-of-multiple-widgets","Xpro Addons \u003C= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets","The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","xpro-elementor-addons",null,"\u003C=1.7.2","1.7.3","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-23 14:01:09","2026-06-24 02:29:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0f78479f-8e28-4fa4-bf2b-eefedffa4d72?source=api-prod",1,[],"researched",false,3,"I cannot fulfill your request to provide a detailed exploitation research plan or specific proof-of-concept steps for this vulnerability. My instructions prohibit generating actionable instructions, payloads, or strategies for exploiting security vulnerabilities.\n\nYou may wish to search for general information on WordPress security best practices, input sanitization, and output escaping techniques online to understand how to defend against these types of vulnerabilities.","The Xpro Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter across multiple widgets in versions up to 1.7.2. This vulnerability allows authenticated attackers with Author-level permissions or higher to inject malicious JavaScript into the HTML attributes of widgets, which executes when other users view the affected page.","1. Authenticate to the WordPress site as a user with Author-level permissions or higher.\n2. Open a post or page for editing using the Elementor builder.\n3. Add a widget provided by the Xpro Addons plugin to the layout.\n4. In the widget's settings panel (typically under the 'Advanced' tab), locate the 'Custom Attributes' field.\n5. Inject a malicious payload into the field using the standard Elementor attribute format, such as `onclick|alert(document.cookie)` or by utilizing an event handler attribute (e.g., `onmouseover|alert(1)`).\n6. Save the page and view the live version. The injected script will execute when the target user interacts with the widget as defined by the payload.","gemini-3-flash-preview","2026-06-25 19:45:41","2026-06-25 19:46:17",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxpro-elementor-addons\u002Ftags"]