CVE-2026-2949
Stored XSS in Xpro Addons Icon Box Widget (Elementor
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xpro | addons_for_elementor | to 1.4.24 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor-level access or above to inject malicious scripts into pages via the Icon Box widget. When other users visit these pages, the injected scripts execute in their browsers, which can lead to theft of sensitive information, session hijacking, or other malicious actions. This compromises the security and integrity of the website and its users.
Can you explain this vulnerability to me?
The Xpro Addons β 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Icon Box widget in versions up to and including 1.4.24. This vulnerability arises because the plugin does not properly sanitize input or escape output, allowing authenticated users with contributor-level access or higher to inject malicious web scripts. These scripts execute whenever any user accesses the affected page, potentially compromising user security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) via the Icon Box widget in the Xpro Addons for Elementor WordPress plugin versions up to 1.4.24. Detection typically involves identifying if your WordPress site is running a vulnerable version of this plugin.
You can check the installed plugin version using WordPress CLI commands or by inspecting the plugin files.
- Use WP-CLI to check the plugin version: wp plugin list --status=active
- Look specifically for 'xpro-elementor-addons' and verify if the version is 1.4.24 or lower.
- Additionally, you can search your WordPress database or pages for suspicious injected scripts in pages using the Icon Box widget.
- Use grep or similar tools on your WordPress files or database exports to find suspicious JavaScript code or payloads.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the Xpro Addons for Elementor plugin to version 1.4.25 or later, where this vulnerability has been fixed.
This update includes proper escaping of user-supplied data in the Icon Box and Image Scroller widgets, preventing stored XSS attacks.
- Backup your WordPress site and database before applying updates.
- Update the plugin via the WordPress admin dashboard or using WP-CLI: wp plugin update xpro-elementor-addons
- After updating, verify that the plugin version is 1.4.25 or higher.
If immediate updating is not possible, consider restricting contributor-level access temporarily to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access to user data or session hijacking, which may impact the confidentiality and integrity of personal data.
Such security weaknesses can affect compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data against unauthorized access and breaches.
However, the provided information does not explicitly state the direct impact on compliance or mention any regulatory assessments.