Logo
Retour à la veille

CVE-2026-9281

Publié : 6 juin 2026
Modifié : 6 juin 2026
Lien officiel NVD
Score CVSS
6.4
MEDIUM

Description détaillée

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Références et Patchs

https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L206https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L214https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L80https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L206https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L214https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L80https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3556818%40master-addons&new=3556818%40master-addons&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/5b8e052a-6e60-4455-96c9-b2a3e86773da?source=cve

Dernières Vulnérabilités

CVE-2026-9280

The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.

VOIR DÉTAILS

CVE-2026-9197

The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

VOIR DÉTAILS

CVE-2026-8991

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VOIR DÉTAILS