Skip to main content

Xpro Addons 140 Widgets For Elementor

1 CVEs product

Monthly

CVE-2026-11614 MEDIUM This Month

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.

XSS WordPress Xpro Addons 140 Widgets For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.

XSS WordPress Xpro Addons 140 Widgets For Elementor
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy