aThemes Addons for Elementor <= 1.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Vulnerability

The aThemes Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Image Accordion widget. This flaw affects all versions up to and including 1.0.12 [1]. The issue arises from insufficient input sanitization and output escaping on user-controllable fields within the widget, allowing malicious input to be stored and later rendered in pages without proper neutralization.

Exploitation

An authenticated attacker with at least Contributor-level access to a WordPress site can exploit this vulnerability. The attacker injects arbitrary web scripts (e.g., JavaScript) through the Image Accordion widget's input fields. Once the malicious script is saved, it executes automatically in the context of the victim's browser whenever a user accesses the compromised page. No additional user interaction is required beyond visiting the injected page.

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing pages. The injected script executes under the victim's session context, potentially allowing privilege escalation if the victim is an administrator. The attack does not require any special network position beyond standard web access.

Mitigation

The plugin vendor released version 1.1.9 on 2026-05-14, which addresses this vulnerability through improved sanitization and escaping [1]. Users should update to version 1.1.9 or later immediately. Sites running version 1.0.12 or earlier remain exposed. No workaround is documented in the available references; disabling the Image Accordion widget may reduce risk but is not a complete fix.