Description
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
Published: 2026-03-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via authenticated contributors
Action: Immediate Patch
AI Analysis

Impact

OoohBoi Steroids for Elementor contains a Stored Cross‑Site Scripting flaw that allows an authenticated user with Contributor or higher privileges to inject malicious scripts into page elements through the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link parameters. The injected scripts execute when any visitor clicks the affected element, potentially enabling session hijacking, defacement, or other client‑side attacks. This weakness is a classic input validation problem and is classified as CWE‑79.

Affected Systems

The vulnerability exists in all releases of the OoohBoi Steroids for Elementor plugin up to and including version 2.1.24, released by the vendor sagarpatel124. Any WordPress site that has this plugin installed and has users assigned the Contributor role or higher is at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the EPSS score is under 1%, suggesting a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA KEV database, and no public exploit code is known. Attackers would need to log in as a contributor or higher to perform the injection, making the attack vector authenticated and limited to users with write permissions.

Generated by OpenCVE AI on April 15, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OoohBoi Steroids for Elementor plugin to a version later than 2.1.24 or apply any vendor‑provided update that removes the vulnerable URL parameters.
  • If an upgrade cannot be performed immediately, restrict Contributor and higher roles from accessing pages where the plugin’s UI allows editing of link parameters, or disable the flagged link fields through a site‑wide plugin configuration or custom code patch.
  • Perform a scan of all pages for injected script tags and remove any malicious content that may already have been inserted.

Generated by OpenCVE AI on April 15, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Sagarpatel124
Sagarpatel124 ooohboi Steroids For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Sagarpatel124
Sagarpatel124 ooohboi Steroids For Elementor
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
Title OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Sagarpatel124 Ooohboi Steroids For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:24.463Z

Reserved: 2026-02-23T15:40:31.880Z

Link: CVE-2026-3034

cve-icon Vulnrichment

Updated: 2026-03-05T15:29:13.870Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T04:15:57.407

Modified: 2026-03-05T19:38:53.383

Link: CVE-2026-3034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses