Stored Cross-Site Scripting in Master Addons for Elementor Plugin by WordPress
CVE-2026-9281
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 6 June 2026
What is CVE-2026-9281?
The Master Addons For Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. This vulnerability allows authenticated users with author-level access and higher to inject malicious scripts into web pages. The insecure handling of the 'jtlma_custom_js' Page Setting through crafted POST requests means that the unfiltered_html capability check is bypassed during the save process, creating a serious risk for users who access the compromised pages.
Affected Version(s)
Master Addons For Elementor β Widgets, Extensions, Theme Builder, Popup Builder & Template Kits 0 <= 3.1.0