CVE-2026-6048
Received Received - Intake
Stored XSS in Flipbox Addon for Elementor Plugin

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: Wordfence

Description
The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6048
EUVD
EUVD-2026-23652
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flipbox_addon flipbox_addon to 2.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Flipbox Addon for Elementor plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its Flipbox widget's button URL custom_attributes field. This vulnerability exists in all versions up to and including 2.1.1 because the plugin does not properly validate custom attribute names.

Specifically, the plugin uses the esc_html() function on attribute names, which does not prevent event handler attributes like onmouseover or onclick from being used. This allows authenticated users with author-level access or higher to inject malicious scripts that will execute whenever any user views the affected page.

Impact Analysis

This vulnerability can allow attackers with author-level access or higher to inject arbitrary scripts into web pages. These scripts will execute in the browsers of users who visit the infected pages.

  • It can lead to theft of user data such as cookies or session tokens.
  • It can enable attackers to perform actions on behalf of users without their consent.
  • It may result in defacement or manipulation of website content.
  • It can damage the trust and reputation of the website.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart