MEDIUM 6.4

CVE-2026-9281: Master Addons For Elementor Stored XSS Vulnerability (3.1.0 and Earlier)

Master Addons For Elementor, a popular WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with author-level permissions to inject malicious scripts into pages. The vulnerability exists in the Custom JS Extension feature and affects all versions up to 3.1.0. Because the injected scripts persist in the database and execute whenever visitors view the affected pages, this could be used to steal credentials, distribute malware, or redirect users to phishing sites. The core issue is that the plugin fails to properly validate and sanitize user input when saving custom JavaScript code, and the security checks that exist only apply to the visual editor interface, not to direct API calls.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the handling of the 'jtlma_custom_js' page setting within the Master Addons For Elementor plugin's Custom JS Extension. The plugin enforces an 'unfiltered_html' capability check only during Elementor control registration (UI rendering phase), not during the actual save operation via admin-ajax.php. This allows authenticated users with author-level access or higher to bypass the UI-level restriction by crafting a POST request directly to the admin-ajax.php endpoint with action=elementor_ajax, injecting arbitrary JavaScript that gets stored in the database without sanitization or escaping. The stored payload executes in the context of any user visiting the affected page, resulting in a stored XSS condition. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Business impact

A successful exploitation could compromise website integrity and user security. Attackers with author-level access (a common privilege level for content creators, editors, or compromised accounts) could inject malicious scripts that harvest visitor credentials, exfiltrate data, perform unauthorized actions on behalf of visitors, or redirect users to malware distribution sites. For organizations running Master Addons on client-facing WordPress sites, this represents a direct threat to visitor trust and data confidentiality. The impact extends beyond the immediate website to any user who visits an injected page, making the blast radius potentially significant for high-traffic sites.

Affected systems

Master Addons For Elementor plugin versions 3.1.0 and earlier are vulnerable. This includes organizations using any version of the plugin with WordPress sites that grant author-level access to contributors, editors, or other non-administrative users. The vulnerability does not require admin-level privileges to exploit, making it accessible to a broader set of potential attackers, including disgruntled staff or compromised lower-privilege accounts.

Exploitability

The vulnerability is moderately exploitable. It requires prior authentication (author-level access or higher) and the attacker must have knowledge of the WordPress admin-ajax.php endpoint and the specific parameter structure. However, once the attacker has author-level credentials—whether through social engineering, credential stuffing, or insider threat—the exploitation itself is straightforward: a single crafted POST request can inject persistent malicious code. No user interaction is required to execute the payload; any visitor to the affected page triggers script execution. The CVSS 3.1 score of 6.4 (Medium severity) reflects the requirement for authenticated access balanced against the network-accessible nature and the ability to affect multiple users.

Remediation

Organizations using Master Addons For Elementor should immediately update to a patched version above 3.1.0 once available. Until patching is possible, restrict author-level access to only trusted users, regularly audit user permissions, and monitor admin-ajax.php logs for suspicious activity. Consider disabling the Custom JS Extension feature at the plugin level if not actively used. Additionally, implement Web Application Firewall (WAF) rules to detect and block POST requests to admin-ajax.php that contain suspicious JavaScript patterns in the jtlma_custom_js parameter.

Patch guidance

The vendor should release a patched version that enforces input sanitization and output escaping on the 'jtlma_custom_js' setting during the save process, not just during UI registration. The fix must apply the 'unfiltered_html' capability check at the point of data persistence, not just at the UI layer. Organizations should verify patch availability through the official Master Addons for Elementor plugin page on WordPress.org and apply updates immediately after testing in a staging environment to ensure compatibility with custom configurations.

Detection guidance

Monitor WordPress audit logs and database activity for modifications to the jtlma_custom_js setting. Look for POST requests to admin-ajax.php with action=elementor_ajax containing JavaScript code fragments, especially from author-level accounts during unusual hours. Use WordPress security plugins that log option changes and conduct periodic page inspections for unexpected inline JavaScript. If using a SIEM, create rules to flag admin-ajax.php requests that include script tags or event handlers in POST parameters. Check the wp_options table directly for entries containing 'jtlma_custom_js' with suspicious content.

Why prioritize this

This vulnerability should be prioritized due to the combination of persistence (stored XSS), broad impact (affects all site visitors), and low barrier to exploitation (requires only author-level access, which is common in multi-user WordPress environments). While not yet in the CISA Known Exploited Vulnerabilities catalog, the relative ease of exploitation and the widespread use of Elementor and its extensions in WordPress ecosystems make this a near-term risk. Organizations should patch before the vulnerability becomes widely publicized or active exploitation emerges.

Risk score, explained

The CVSS 3.1 score of 6.4 (Medium) reflects a network-accessible vulnerability requiring low-privilege authentication, with confidentiality and integrity impact but no availability impact. The score does not capture the full business risk: stored XSS affecting multiple users and persistent access to a site's trust layer warrant treating this as a high-priority patch candidate, especially for public-facing or sensitive websites. The 'Medium' classification is driven by the authentication requirement; however, organizations should not be falsely reassured—author-level access is frequently granted and often compromised.

Frequently asked questions

Does this vulnerability require admin-level access to exploit?

No. The vulnerability is exploitable by any authenticated user with author-level access or higher. This includes contributors, editors, and other roles commonly granted to content creators. The plugin's security check only enforces a capability during UI rendering, but an attacker can bypass the UI entirely by sending a crafted POST request directly to admin-ajax.php, making the admin-level check irrelevant.

What happens if I update to the latest version of Master Addons For Elementor?

Verify with the vendor that the version you update to includes a fix for CVE-2026-9281. The patch must enforce the 'unfiltered_html' capability check at the point where the jtlma_custom_js setting is saved, not just during UI registration. Check the plugin's changelog and advisory before updating to confirm the vulnerability is addressed in your target version.

Can this vulnerability be exploited if I restrict author-level access to trusted users only?

Restricting author access to trusted users significantly reduces risk, but does not eliminate it. Compromised credentials, insider threats, and supply-chain attacks on accounts with author privileges all remain possible. Patching the plugin is the only reliable mitigation; access control is a supporting layer.

How can I detect if this vulnerability has been exploited on my site?

Check the WordPress admin pages and posts for unexpected inline JavaScript or script tags, particularly in custom JS fields. Query your database wp_options table for entries with 'jtlma_custom_js' containing suspicious code. Review WordPress audit logs for changes to pages by author-level accounts during unexpected times. Use WordPress security plugins to scan for injected scripts and monitor future changes to page settings.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. Security vulnerabilities are subject to change, and vendor advisories may be updated. Organizations should verify all patch versions, KEV status, and affected product lists against official vendor advisories and the CISA Known Exploited Vulnerabilities catalog before making remediation decisions. Proof-of-concept code and detailed exploitation techniques are intentionally omitted from this summary to limit the utility to malicious actors. Consult your security team, vendor, and legal counsel before implementing mitigations in production environments. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).