Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidthemes Void Elementor WHMCS Elements For Elementor Page Builder void-elementor-whmcs-elements.This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through <= 2.0.1.2.
AnalysisAI
Stored cross-site scripting (XSS) in Void Elementor WHMCS Elements for Elementor Page Builder through version 2.0.1.2 allows authenticated attackers to inject malicious scripts into web pages generated by the plugin, potentially compromising site visitors and administrators. The vulnerability stems from improper input sanitization in page generation functions. No public exploit code or active exploitation has been identified, but the low EPSS score (0.04%) reflects limited real-world attack probability despite the high-impact nature of XSS vulnerabilities.
Technical ContextAI
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of input validation failures where user-supplied data is rendered into web page output without adequate escaping or sanitization. The Void Elementor WHMCS Elements plugin extends the Elementor page builder with WordPress-specific functionality for WHMCS (Web Host Manager Complete Solution) integration. The flaw occurs in the plugin's page generation logic, likely in widget output functions or shortcode handlers that fail to properly escape dynamic content before rendering it to the DOM. This allows an authenticated user (with edit_posts capability or higher) to craft malicious payloads that execute in the browser context of site visitors or administrators viewing the affected pages.
Affected ProductsAI
Void Elementor WHMCS Elements for Elementor Page Builder (void-elementor-whmcs-elements) through version 2.0.1.2 is affected. This is a WordPress plugin extending the Elementor page builder framework with WHMCS-specific widgets and components. No specific CPE string is provided in the input data. The vendor advisory is available at https://patchstack.com/database/Wordpress/Plugin/void-elementor-whmcs-elements/vulnerability/wordpress-void-elementor-whmcs-elements-for-elementor-page-builder-plugin-2-0-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve
RemediationAI
Update Void Elementor WHMCS Elements for Elementor Page Builder to the patched version released by voidthemes following the CVE disclosure. Users should navigate to WordPress Dashboard > Plugins and check for available updates, or manually download the latest version from the WordPress plugin repository. As an interim mitigation, site administrators should restrict page editing capabilities to trusted administrators only and audit existing pages for suspicious content. Review user roles and capabilities to ensure only necessary users have the edit_posts or edit_pages capabilities. Consult the vendor's security advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/void-elementor-whmcs-elements/) for the exact patched version number and deployment instructions.
Share
External POC / Exploit Code
Leaving vuln.today