CVE-2026-32429
Stored XSS in Magical Addons for Elementor
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | magical_addons_for_elementor | From 1.0.0 (inc) to 1.4.1 (inc) |
| noor_alam | magical_addons_for_elementor | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32429 is a Cross Site Scripting (XSS) vulnerability found in the WordPress plugin "Magical Addons For Elementor" versions up to and including 1.4.1.'}, {'type': 'paragraph', 'content': 'This vulnerability occurs because the plugin improperly neutralizes input during web page generation, allowing an attacker to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'Exploitation requires a privileged user (with at least Contributor or Developer privileges) to interact with a crafted malicious link, page, or form.'}, {'type': 'paragraph', 'content': 'If successfully exploited, the attacker can inject scripts such as redirects, advertisements, or other HTML payloads that execute when site visitors access the compromised content.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, potentially causing unauthorized redirects, unwanted advertisements, or other harmful HTML payloads to be displayed to your visitors.
Since exploitation requires a privileged user to interact with malicious content, the risk is somewhat limited but still significant.
The CVSS score of 6.5 indicates a medium severity level, meaning the impact can include partial compromise of confidentiality, integrity, and availability of the affected system.
Users are advised to update to version 1.4.2 of the plugin to mitigate this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the Magical Addons For Elementor WordPress plugin up to version 1.4.1. Detection involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into web pages generated by the plugin.
Since exploitation requires a privileged user interaction, monitoring logs for suspicious user actions such as unexpected form submissions or clicks on crafted links can help detect attempts.
Specific commands are not provided in the available resources, but general steps include checking the plugin version installed on your WordPress site and scanning for injected scripts in the content generated by the plugin.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Magical Addons For Elementor plugin to version 1.4.2 or later, where this vulnerability has been patched.
Additionally, restricting privileged user actions and monitoring for suspicious activity can reduce the risk of exploitation.
Using automated update and rapid mitigation services, such as those offered by Patchstack, can also help in quickly addressing this vulnerability.