Xpro Addons 140 Widgets For Elementor
Monthly
Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.
Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.