Description
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on the 'text' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting leading to arbitrary script execution for users viewing the injected page
Action: Apply Patch
AI Analysis

Impact

The Magic Buttons for Elementor plugin is vulnerable to stored XSS via its magic‑button shortcode. The ‘text’ attribute supplied by users is not properly sanitized or escaped, allowing injected script to persist in page content. An attacker who is authenticated with contributor or higher permissions can place arbitrary JavaScript in the shortcode, which will run in the browsers of every user who accesses that page. This flaw can be exploited for cookie theft, session hijacking, defacement, or the execution of additional malicious payloads.

Affected Systems

All installations of the Magic Buttons for Elementor plugin on WordPress, specifically versions up to and including 1.0. The vulnerability affects any site that uses the magic‑button shortcode in its content.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as moderate severity, and the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Because it requires authenticated contributor‑level access, the attacker must already have the ability to edit or create content. Once that privilege is obtained, inserting a malicious shortcode is straightforward and the payload will execute in the context of any visitor to the page.

Generated by OpenCVE AI on April 21, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Magic Buttons for Elementor 1.1 or later, where input sanitization for the ‘text’ attribute has been fixed.
  • If an upgrade is not possible, disable the magic‑button shortcode altogether or remove all instances of it from existing content to eliminate stored payloads.
  • As a temporary precaution, restrict contributor‑level or higher users from editing posts that contain the magic‑button shortcode, or revoke their general ability to use shortcodes until a patch can be applied.

Generated by OpenCVE AI on April 21, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19682 The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on the 'text' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Pwrplugins
Pwrplugins magic Buttons For Elementor
CPEs cpe:2.3:a:pwrplugins:magic_buttons_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Pwrplugins
Pwrplugins magic Buttons For Elementor

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Magic Buttons for Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pwrplugins Magic Buttons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:07.121Z

Reserved: 2025-06-25T21:32:47.003Z

Link: CVE-2025-6686

cve-icon Vulnrichment

Updated: 2025-07-02T13:05:24.546Z

cve-icon NVD

Status : Modified

Published: 2025-07-02T04:16:00.243

Modified: 2026-04-08T18:25:05.370

Link: CVE-2025-6686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses