Description
The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.
Published: 2026-06-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Master Addons For Elementor plugin allows an authenticated author‑level user to store arbitrary JavaScript in the jtlma_custom_js page setting. Because the plugin does not properly sanitize or escape this input during the save process, the script is persisted and executed whenever any visitor accesses the affected page, creating a classic stored XSS scenario. This flaw may lead to disclosure of sensitive data, manipulation of page content, and phishing or session hijacking on a site level. The weakness is a traditional input validation issue categorized as CWE‑79.

Affected Systems

WordPress sites running the Master Addons For Elementor plugin version 3.1.0 or earlier are affected. The plugin is developed by litonice13 and is used in various theme builders, widget packs, and popup builders for Elementor. All releases up to and including 3.1.0 are explicitly listed as vulnerable; no patch is available for the documented plugin version history for 3.1.0, so any site using that or earlier releases is exposed.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. EPSS is not available, so an exact exploitation probability cannot be determined, but the lack of a KEV listing indicates the vulnerability has not yet been widely exploited. Attackers need author‑level or higher access and must submit a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing UI restrictions. Once injected, the malicious script runs in the context of any visitor to the page, potentially compromising credentials and session data.

Generated by OpenCVE AI on June 6, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Master Addons For Elementor plugin update (v3.1.1 or later) that includes input sanitization for the jtlma_custom_js setting.
  • If an upgrade is not immediately possible, disable the Custom JS extension in the plugin’s settings and delete all stored scripts from the page setting.
  • Enable the WordPress 'unfiltered_html' capability only for trusted administrators and restrict author-level access to prevent arbitrary script injection.

Generated by OpenCVE AI on June 6, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Litonice13
Litonice13 master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Wordpress
Wordpress wordpress
Vendors & Products Litonice13
Litonice13 master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.
Title Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Litonice13 Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:45:08.166Z

Reserved: 2026-05-22T13:59:58.353Z

Link: CVE-2026-9281

cve-icon Vulnrichment

Updated: 2026-06-06T11:45:03.338Z

cve-icon NVD

Status : Received

Published: 2026-06-06T02:16:22.820

Modified: 2026-06-06T02:16:22.820

Link: CVE-2026-9281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T04:00:15Z

Weaknesses