Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Author-level WordPress account required (PR:L); stored payload fires in victim browsers without further attacker interaction (UI:N, S:C); no availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the custom_attributes parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a WordPress account with at minimum the Author role (or higher: Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (Medium) reflects a network-accessible (AV:N), low-complexity (AC:L), low-privilege (PR:L) attack with a scope change (S:C) into the victim's browser session, with only partial confidentiality and integrity impact (C:L/I:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered a WordPress Author account on a target site opens the Elementor page editor and injects a JavaScript payload - such as a cookie-exfiltration script - into the `custom_attributes` field of an affected Xpro widget (e.g., the icon-box or button widget), then publishes the page. The payload persists in the database and is rendered unsanitized into the page HTML on every subsequent visit; when a site administrator later browses the page, the script executes in their browser, captures the admin session cookie, and transmits it to an attacker-controlled endpoint, enabling full administrative takeover of the WordPress site. |
| Remediation | Update the Xpro Addons plugin to a version beyond 1.7.2; a specific patched release version is not confirmed in available data - verify the latest version via the WordPress Plugin Directory or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/0f78479f-8e28-4fa4-bf2b-eefedffa4d72. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38643
GHSA-j94v-j96m-m8j5