{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3034", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-23T15:40:31.880Z", "datePublished": "2026-03-05T03:23:41.059Z", "dateUpdated": "2026-04-08T17:11:24.463Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:24.463Z"}, "affected": [{"vendor": "sagarpatel124", "product": "OoohBoi Steroids for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element."}], "title": "OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c2de78e-8530-416b-adef-e2e8ff322802?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/spacerat.js#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L300"}, {"url": "https://wordpress.org/plugins/ooohboi-steroids-for-elementor/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-02-24T12:20:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-04T14:44:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:29:12.851225Z", "id": "CVE-2026-3034", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:41:34.324Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:29:12.851225Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:29:13.870Z"}}], "cna": {"title": "OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "sagarpatel124", "product": "OoohBoi Steroids for Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.1.24"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T12:20:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-04T14:44:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c2de78e-8530-416b-adef-e2e8ff322802?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/spacerat.js#L52"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L300"}, {"url": "https://wordpress.org/plugins/ooohboi-steroids-for-elementor/#developers"}], "descriptions": [{"lang": "en", "value": "The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-05T03:23:41.059Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3034", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:41:34.324Z", "dateReserved": "2026-02-23T15:40:31.880Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-05T03:23:41.059Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element."}, {"lang": "es", "value": "El plugin OoohBoi Steroids para Elementor para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los par\u00e1metros URL _ob_spacerat_link, _ob_bbad_link y _ob_teleporter_link en todas las versiones hasta la 2.1.24, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario haga clic en el elemento inyectado."}], "id": "CVE-2026-3034", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-05T04:15:57.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/ooohboi-steroids.js#L300"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ooohboi-steroids-for-elementor/tags/2.1.24/assets/js/spacerat.js#L52"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ooohboi-steroids-for-elementor/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c2de78e-8530-416b-adef-e2e8ff322802?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.24]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OoohBoi Steroids for Elementor", "source": "cna", "vendor": "sagarpatel124"}, "product": "ooohboi_steroids_for_elementor", "vendor": "sagarpatel124"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:54:17.202566+00:00", "value": {"mitigation_remediation": ["Upgrade the OoohBoi Steroids for Elementor plugin to a version later than 2.1.24 or apply any vendor\u2011provided update that removes the vulnerable URL parameters.", "If an upgrade cannot be performed immediately, restrict Contributor and higher roles from accessing pages where the plugin\u2019s UI allows editing of link parameters, or disable the flagged link fields through a site\u2011wide plugin configuration or custom code patch.", "Perform a scan of all pages for injected script tags and remove any malicious content that may already have been inserted."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting via authenticated contributors"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the OoohBoi Steroids for Elementor plugin up to and including version 2.1.24, released by the vendor sagarpatel124. Any WordPress site that has this plugin installed and has users assigned the Contributor role or higher is at risk.", "description_and_impact": "OoohBoi Steroids for Elementor contains a Stored Cross\u2011Site Scripting flaw that allows an authenticated user with Contributor or higher privileges to inject malicious scripts into page elements through the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link parameters. The injected scripts execute when any visitor clicks the affected element, potentially enabling session hijacking, defacement, or other client\u2011side attacks. This weakness is a classic input validation problem and is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the EPSS score is under 1%, suggesting a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA KEV database, and no public exploit code is known. Attackers would need to log in as a contributor or higher to perform the injection, making the attack vector authenticated and limited to users with write permissions."}}}}, "created": "2026-03-06T15:17:53.538628+00:00", "updated": "2026-04-15T18:00:15.493094+00:00", "vendors": ["sagarpatel124", "sagarpatel124$PRODUCT$ooohboi_steroids_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}