CVE-2026-2486
Stored XSS in Master Addons for Elementor Plugin
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| master_addons | master_addons_for_elementor | to 2.1.1 (inc) |
| master_addons | ma_business_hours | 2.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The Master Addons For Elementor plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1.1. This vulnerability arises because the plugin does not properly sanitize or escape the input provided via the 'ma_el_bh_table_btn_text' parameter."}, {'type': 'paragraph', 'content': 'Authenticated users with contributor-level access or higher can exploit this flaw by injecting malicious scripts into pages. These scripts then execute whenever any user accesses the affected page, potentially compromising user data or site integrity.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into pages. When other users visit these pages, the malicious scripts execute in their browsers.'}, {'type': 'list_item', 'content': 'It can lead to theft of user credentials or session tokens.'}, {'type': 'list_item', 'content': 'It may enable attackers to perform actions on behalf of other users.'}, {'type': 'list_item', 'content': "It can damage the website's reputation and trustworthiness."}, {'type': 'list_item', 'content': 'It may result in unauthorized access to sensitive information.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by inspecting the usage of the 'ma_el_bh_table_btn_text' parameter in the Master Addons For Elementor plugin, particularly in versions up to 2.1.1. Since the issue is a Stored Cross-Site Scripting (XSS) vulnerability, detection involves checking if unescaped user input is being rendered in the plugin's output."}, {'type': 'paragraph', 'content': "One way to detect it is to search the plugin files for instances where 'ma_el_bh_table_btn_text' is output without proper escaping. For example, you can run the following command in the plugin directory to find such occurrences:"}, {'type': 'list_item', 'content': 'grep -rn "ma_el_bh_table_btn_text" .'}, {'type': 'paragraph', 'content': "Look specifically for lines that output this parameter directly, such as using '<?php echo $settings['ma_el_bh_table_btn_text']; ?>' without escaping functions like esc_html()."}, {'type': 'paragraph', 'content': 'Additionally, you can monitor HTTP requests and responses for suspicious script injections in pages rendered by the plugin, especially from users with contributor-level access or higher.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the Master Addons For Elementor plugin to version 2.1.2 or later, where the vulnerability has been fixed by properly escaping the 'ma_el_bh_table_btn_text' parameter using the WordPress esc_html() function."}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, restrict contributor-level and higher user access to trusted users only, as the vulnerability requires authenticated users with such privileges to exploit.'}, {'type': 'paragraph', 'content': 'Also, consider implementing Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via this parameter.'}] [1]