Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)
CVE-2026-9281

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits
Vendor: CVE Published:; 6 June 2026

What is CVE-2026-9281?

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.

Affected Version(s)

Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits 0 <= 3.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/master-addons/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2026
Vulnerability Reserved
May 22, 2026

Credit

Chairat Toraya

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-9281 Data

JSON