Description
The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Flipbox Addon for Elementor plugin for WordPress contains a stored cross‑site scripting vulnerability. Unvalidated custom attribute names in the widget’s button URL field allow an attacker with author‑level or higher access to embed malicious scripts. The injected code is stored in the page and will execute in the browsers of all users who view the affected page, potentially compromising credentials, defacing content, or facilitating further attacks. The weakness stems from using esc_html() on the attribute name, which does not filter event‑handler attributes such as onmouseover or onclick.

Affected Systems

WordPress sites that have the Flipbox Addon for Elementor plugin version 2.1.1 or earlier installed. The affected vendor is dragwyb, and the vulnerability applies to all releases up to and including 2.1.1.

Risk and Exploitability

The flaw has a CVSS score of 6.4, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access at author level or higher; once the attacker supplies malicious attributes, the script is persisted and will run whenever an affected page is accessed by any user. Because the vulnerability is stored, repeated exposure can amplify the impact. Prompt remediation is advised to prevent untrusted content from being rendered.

Generated by OpenCVE AI on April 18, 2026 at 08:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Flipbox Addon for Elementor plugin to version 2.1.2 or later, which removes the unfiltered custom_attributes field.
  • If an update is not immediately possible, configure a web application firewall or custom sanitization rule to strip or refuse event‑handler attributes such as onmouseover, onclick, onload, etc., from the custom_attributes field before rendering the page.
  • Restrict author or higher roles from editing or inserting custom attributes where possible, or disable the feature entirely if not required for the site’s functionality.

Generated by OpenCVE AI on April 18, 2026 at 08:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-18T03:37:05.751Z

Reserved: 2026-04-09T19:32:35.200Z

Link: CVE-2026-6048

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T05:16:24.157

Modified: 2026-04-18T05:16:24.157

Link: CVE-2026-6048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses