{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2486", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-13T20:31:48.856Z", "datePublished": "2026-02-20T11:26:36.502Z", "dateUpdated": "2026-04-08T17:13:41.881Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:41.881Z"}, "affected": [{"vendor": "litonice13", "product": "Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Master Addons For Elementor <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ma_el_bh_table_btn_text'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78c2621-afff-40b4-ae45-831b2b847756?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461745/master-addons/tags/2.1.2/addons/ma-business-hours/ma-business-hours.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Thanakorn Bunsin"}], "timeline": [{"time": "2026-02-13T20:59:27.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-19T23:25:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T13:03:11.183225Z", "id": "CVE-2026-2486", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T13:03:26.807Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2486", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T13:03:11.183225Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T13:03:20.879Z"}}], "cna": {"title": "Master Addons For Elementor <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ma_el_bh_table_btn_text'", "credits": [{"lang": "en", "type": "finder", "value": "Thanakorn Bunsin"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "litonice13", "product": "Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T20:59:27.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-19T23:25:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78c2621-afff-40b4-ae45-831b2b847756?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461745/master-addons/tags/2.1.2/addons/ma-business-hours/ma-business-hours.php"}], "descriptions": [{"lang": "en", "value": "The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:41.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2486", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:41.881Z", "dateReserved": "2026-02-13T20:31:48.856Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-20T11:26:36.502Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Master Addons For Elementor para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'ma_el_bh_table_btn_text' en versiones hasta e incluyendo la 2.1.1 debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-2486", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-20T12:16:16.990", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3461745/master-addons/tags/2.1.2/addons/ma-business-hours/ma-business-hours.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78c2621-afff-40b4-ae45-831b2b847756?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Master Addons For Elementor \u2013 White Label, Free Widgets, Hover Effects, Conditions, & Animations", "source": "cna", "vendor": "litonice13"}, "product": "master_addons_for_elementor_\u2013_white_label,_free_widgets,_hover_effects,_conditions,_&_animations", "vendor": "litonice13"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:07:26.978633+00:00", "value": {"mitigation_remediation": ["Update Master Addons For Elementor to version 2.1.2 or later.", "If an upgrade is not possible, deactivate or remove the plugin until a patch is available.", "Audit other plugins and themes for similar XSS vulnerabilities and apply the latest updates or patches."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits by litonice13. Versions up to and including 2.1.1 are vulnerable; the fix is released in 2.1.2.", "description_and_impact": "This vulnerability allows authenticated users with contributor-level access or higher to inject arbitrary JavaScript through the \"ma_el_bh_table_btn_text\" field in the Master Addons For Elementor WordPress plugin. The input is not sanitized or escaped, so scripts are stored and later executed whenever the affected page is viewed by any user. The flaw enables malicious code execution, defacement, data theft or session hijacking within the context of the affected site.", "risk_and_exploitability": "The severity is CVSS 6.4 (Medium) with a very low EPSS (<1%) and it is not listed in the CISA KEV catalog. Exploitation requires a valid contributor or higher account, so the attack surface is limited to authorized users. Nonetheless, once injected scripts run, they can compromise any site visitor, leading to potential data loss, credential theft, or further site compromise, especially if additional plugins or themes are vulnerable to XSS."}}}}, "created": "2026-02-23T14:47:05.479845+00:00", "updated": "2026-04-15T18:15:10.827161+00:00", "vendors": ["litonice13", "litonice13$PRODUCT$master_addons_for_elementor_\u2013_white_label,_free_widgets,_hover_effects,_conditions,_&_animations", "wordpress", "wordpress$PRODUCT$wordpress"]}