Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
Published: 2026-03-13
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site Scripting (DOM-based)
Action: Patch
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation that allows a DOM‑Based Cross‑Site Scripting (XSS) attack. An attacker could inject malicious scripts into page content viewed by other users, potentially leading to session hijacking, credential theft, or defacement. The weakness is identified as CWE‑79, indicating that user input was not properly validated or encoded before being rendered in the browser, compromising confidentiality and integrity of user sessions.

Affected Systems

The affected software is the WordPress plugin Master Addons for Elementor developed by Liton Arefin. Versions from the initial release (n/a) up to and including 2.1.3 are vulnerable, so any WordPress site running the plugin at these versions is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of less than 1% suggests low exploitation probability currently. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, meaning there is no confirmed active exploitation. Likely attack vector is through a user’s browser when viewing a page that incorporates the vulnerable plugin; the attacker requires the victim to access the page to execute the injected script.

Generated by OpenCVE AI on March 16, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Master Addons for Elementor to a version newer than 2.1.3 if available.
  • If no newer version exists, consider disabling or uninstalling the plugin until a patch is released.
  • Monitor the vendor’s release notes and security advisories for updates and apply them promptly.

Generated by OpenCVE AI on March 16, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Liton Arefin
Liton Arefin master Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Liton Arefin
Liton Arefin master Addons For Elementor
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
Title WordPress Master Addons for Elementor plugin <= 2.1.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Liton Arefin Master Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:22.677Z

Reserved: 2026-03-12T11:11:45.408Z

Link: CVE-2026-32462

cve-icon Vulnrichment

Updated: 2026-03-16T19:22:44.995Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:08.773

Modified: 2026-03-16T20:16:19.813

Link: CVE-2026-32462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:04Z

Weaknesses