Skip to main content

Xpro Elementor Addons CVE-2026-11614

| EUVDEUVD-2026-38643 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-j94v-j96m-m8j5
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Author-level WordPress account required (PR:L); stored payload fires in victim browsers without further attacker interaction (UI:N, S:C); no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 03:44 vuln.today
CVE Published
Jun 24, 2026 - 02:29 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the custom_attributes parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or register WordPress Author account
Delivery
Access Elementor page editor on target site
Exploit
Inject JavaScript payload into custom_attributes parameter of any affected Xpro widget
Install
Publish or save page to persist payload in database
C2
Victim user browses injected page
Execute
Stored script executes in victim browser session
Impact
Exfiltrate session token or perform privileged action as victim

Vulnerability AssessmentAI

Exploitation The attacker must hold a WordPress account with at minimum the Author role (or higher: Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) reflects a network-accessible (AV:N), low-complexity (AC:L), low-privilege (PR:L) attack with a scope change (S:C) into the victim's browser session, with only partial confidentiality and integrity impact (C:L/I:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered a WordPress Author account on a target site opens the Elementor page editor and injects a JavaScript payload - such as a cookie-exfiltration script - into the `custom_attributes` field of an affected Xpro widget (e.g., the icon-box or button widget), then publishes the page. The payload persists in the database and is rendered unsanitized into the page HTML on every subsequent visit; when a site administrator later browses the page, the script executes in their browser, captures the admin session cookie, and transmits it to an attacker-controlled endpoint, enabling full administrative takeover of the WordPress site.
Remediation Update the Xpro Addons plugin to a version beyond 1.7.2; a specific patched release version is not confirmed in available data - verify the latest version via the WordPress Plugin Directory or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0f78479f-8e28-4fa4-bf2b-eefedffa4d72. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy