Stored Cross-Site Scripting in Master Addons for Elementor Plugin by WordPress
CVE-2026-9281

6.4MEDIUM

What is CVE-2026-9281?

The Master Addons For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. This vulnerability allows authenticated users with author-level access and higher to inject malicious scripts into web pages. The insecure handling of the 'jtlma_custom_js' Page Setting through crafted POST requests means that the unfiltered_html capability check is bypassed during the save process, creating a serious risk for users who access the compromised pages.

Affected Version(s)

Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits 0 <= 3.1.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chairat Toraya
Athiwat Tiprasaharn
Itthidej Aramsri
.