Description
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-24
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Xpro Addons – 140+ Widgets for Elementor plugin contains a stored cross‑site scripting flaw in all releases up to and including 1.7.2. The vulnerability is triggered by the ‘custom_attributes’ parameter used in many widget configurations. If a user with author or higher permissions injects malicious JavaScript into this field, the code is saved to the database and executed for every visitor who loads the affected page.

Affected Systems

All WordPress sites running Xpro Addons version 1.7.2 or earlier are affected. The plug‑in provides more than 140 widgets for Elementor, and the stored payload can be placed in any widget that accepts the custom_attributes field.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must first authenticate to the WordPress back‑end with author‑level or higher permissions to inject the payload. Once injected, the script runs in the context of every user who views the page, allowing potential defacement, cookie theft, session hijacking, or phishing attacks.

Generated by OpenCVE AI on June 24, 2026 at 05:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Xpro Addons (1.7.3 or newer) which removes the vulnerability.
  • If immediate upgrade is not possible, limit author‑level access to trusted users only and monitor widget configurations for suspicious custom attributes.
  • As a short‑term workaround, review and clean existing custom_attributes values in the database to strip any embedded JavaScript, and apply proper escaping before outputting them again.

Generated by OpenCVE AI on June 24, 2026 at 05:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/tags/1.7.3/inc/helper-functions.php#L1069 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/tags/1.7.3/widgets/image-scroller/layout/frontend.php#L8 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/inc/helper-functions.php#L778 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/animated-link/layout/frontend.php#L21 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/author-box/layout/frontend.php#L59 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/button/layout/frontend.php#L36 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/hero-slider/layout/frontend.php#L65 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/hot-spot/layout/frontend.php#L35 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/icon-box/layout/frontend.php#L12 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/icon-box/layout/frontend.php#L28 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/image-scroller/layout/frontend.php#L14 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/image-scroller/layout/frontend.php#L28 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/info-list/layout/frontend.php#L15 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/pricing/layout/frontend.php#L16 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/promo-box/layout/frontend.php#L51 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/site-logo/layout/frontend.php#L35 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/site-title/layout/frontend.php#L28 cve-icon
https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/team/layout/frontend.php#L46 cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f78479f-8e28-4fa4-bf2b-eefedffa4d72?source=cve cve-icon
History

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T02:29:07.464Z

Reserved: 2026-06-08T18:36:35.523Z

Link: CVE-2026-11614

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T06:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')