CVE-2026-32430
Stored XSS in PowerPack Addons for Elementor
Publication date: 2026-03-13
Last updated on: 2026-03-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ideabox_creations | powerpack_addons_for_elementor | From 1.0.0 (inc) to 2.9.9 (inc) |
| ideabox_creations | powerpack_addons_for_elementor | to 2.9.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32430 is a Cross Site Scripting (XSS) vulnerability in the WordPress PowerPack Addons for Elementor Plugin versions up to and including 2.9.9.
This vulnerability occurs due to improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts into the website.
Exploitation requires a privileged user (with at least Contributor or Developer privileges) to interact with a crafted malicious link, page, or form.
Once exploited, the injected scripts can execute when site visitors access the compromised website, potentially causing redirects, displaying unwanted advertisements, or other harmful HTML payloads.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing attackers to execute malicious scripts on your website when visitors access it.'}, {'type': 'list_item', 'content': 'Attackers can redirect visitors to malicious sites.'}, {'type': 'list_item', 'content': 'Attackers can display unwanted advertisements or other harmful content.'}, {'type': 'list_item', 'content': "It may lead to compromised user trust and potential damage to your website's reputation."}, {'type': 'paragraph', 'content': 'Exploitation requires a privileged user to interact with malicious content, so the risk is somewhat limited but still significant.'}, {'type': 'paragraph', 'content': 'Updating the plugin to version 2.9.10 or later mitigates this risk.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross Site Scripting (XSS) issue in the PowerPack Addons for Elementor plugin up to version 2.9.9. Detection involves identifying if your WordPress site is running a vulnerable version of this plugin.
You can check the installed plugin version using WordPress CLI commands or by inspecting the plugin details in the WordPress admin dashboard.
- Using WP-CLI, run: wp plugin list | grep powerpack-lite-for-elementor
- Check the plugin version output; if it is 2.9.9 or lower, your site is vulnerable.
Additionally, monitoring for unusual script injections or unexpected HTML payloads in pages generated by the plugin may indicate exploitation, but no specific detection commands are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the PowerPack Addons for Elementor plugin to version 2.9.10 or later, where this vulnerability has been patched.
Since exploitation requires a privileged user interaction, ensure that user privileges are properly managed and limit the number of users with Contributor or Developer roles.
Consider applying additional security measures such as web application firewalls (WAF) and monitoring for suspicious activity.