CVE-2026-32429
Received Received - Intake
Stored XSS in Magical Addons for Elementor

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Stored XSS.This issue affects Magical Addons For Elementor: from n/a through <= 1.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32429
EUVD
EUVD-2026-11962
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack magical_addons_for_elementor From 1.0.0 (inc) to 1.4.1 (inc)
noor_alam magical_addons_for_elementor to 1.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32429 is a Cross Site Scripting (XSS) vulnerability found in the WordPress plugin "Magical Addons For Elementor" versions up to and including 1.4.1.'}, {'type': 'paragraph', 'content': 'This vulnerability occurs because the plugin improperly neutralizes input during web page generation, allowing an attacker to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'Exploitation requires a privileged user (with at least Contributor or Developer privileges) to interact with a crafted malicious link, page, or form.'}, {'type': 'paragraph', 'content': 'If successfully exploited, the attacker can inject scripts such as redirects, advertisements, or other HTML payloads that execute when site visitors access the compromised content.'}] [1]

Impact Analysis

This vulnerability can lead to the execution of malicious scripts on your website, potentially causing unauthorized redirects, unwanted advertisements, or other harmful HTML payloads to be displayed to your visitors.

Since exploitation requires a privileged user to interact with malicious content, the risk is somewhat limited but still significant.

The CVSS score of 6.5 indicates a medium severity level, meaning the impact can include partial compromise of confidentiality, integrity, and availability of the affected system.

Users are advised to update to version 1.4.2 of the plugin to mitigate this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a Stored Cross Site Scripting (XSS) issue in the Magical Addons For Elementor WordPress plugin up to version 1.4.1. Detection involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into web pages generated by the plugin.

Since exploitation requires a privileged user interaction, monitoring logs for suspicious user actions such as unexpected form submissions or clicks on crafted links can help detect attempts.

Specific commands are not provided in the available resources, but general steps include checking the plugin version installed on your WordPress site and scanning for injected scripts in the content generated by the plugin.

Mitigation Strategies

The primary mitigation step is to update the Magical Addons For Elementor plugin to version 1.4.2 or later, where this vulnerability has been patched.

Additionally, restricting privileged user actions and monitoring for suspicious activity can reduce the risk of exploitation.

Using automated update and rapid mitigation services, such as those offered by Patchstack, can also help in quickly addressing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart