CVE-2026-32429

Vulnerability

Overview

CVE-2026-32429 is a stored Cross-Site Scripting (XSS) vulnerability found in the Magical Addons For Elementor plugin for WordPress, affecting all versions from n/a through <= 1.4.1. The root cause is improper neutralization of user input during web page generation, allowing malicious payloads to be saved on the server and executed in the browsers of visitors.

Exploitation and

Attack Vector

This vulnerability can be initiated by an authenticated user with certain privileges, but successful exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a specially crafted form. This interaction leads to the injection and storage of malicious scripts within the website, which will then execute when any user visits the compromised page. The CVSS v3 score is 6.5 (Medium), reflecting the need for user interaction but with potential for broad impact.

Impact

An attacker exploiting this vulnerability can inject arbitrary scripts, redirecting visitors to malicious sites, serving unwanted advertisements, or stealing session cookies and other sensitive data. Because the XSS is stored, the payload remains persistent until removed, affecting all users who browse the affected content.

Mitigation

The vendor has addressed this issue in version 1.4.2. Users are strongly advised to update immediately. Plugin users with Patchstack can enable auto-updates for vulnerable plugins. Since this type of vulnerability is known to be used in mass-exploit campaigns, timely updating is critical [1].