Skip to main content

Master Addons for Elementor CVE-2026-9281

| EUVD-2026-34940 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-06 Wordfence GHSA-75j2-rqrx-9c7f
PHP XSS WordPress Elementor
6.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 02:28 vuln.today
CVE Published
Jun 06, 2026 - 01:26 nvd
MEDIUM 6.4

DescriptionCVE.org

The Master Addons For Elementor - Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.

AnalysisAI

Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise author-level WordPress credentials
Delivery
Craft POST request to admin-ajax.php?action=elementor_ajax
Exploit
Inject malicious JS payload into jtlma_custom_js parameter
Execution
Save handler stores payload without sanitization, bypassing UI capability check
Persist
Victim visits the injected page
Impact
Stored script executes in victim's browser session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated WordPress session at author level or higher (PR:L per CVSS vector) - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) score reflects moderate severity with some important nuances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained author-level credentials on a target WordPress site - through credential stuffing, phishing, or account registration if author self-registration is enabled - crafts a POST request directly to admin-ajax.php?action=elementor_ajax, embedding a malicious payload in the jtlma_custom_js parameter without triggering the UI-level unfiltered_html capability check. The injected script is saved to the page and executes silently in every subsequent visitor's browser, including logged-in administrators, enabling session cookie theft or drive-by payload delivery. …
Remediation An upstream fix has been committed to the plugin repository, as evidenced by the referenced changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3556818%40master-addons&new=3556818%40master-addons); however, the exact patched release version number is not independently confirmed from the available intelligence - administrators should update to the latest available version beyond 3.1.0 from the WordPress plugin repository and verify the changelog references this fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-9281 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy