CVE-2026-32430

Vulnerability

Overview CVE-2026-32430 is a Stored Cross-Site Scripting (XSS) vulnerability found in the PowerPack Addons for Elementor plugin for WordPress, affecting versions from n/a through 2.9.9. The root cause is improper neutralization of user input during web page generation, which enables stored XSS attacks [1].

Exploitation

Details Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a crafted link or submitting a form. Once triggered, the injected script is stored on the server and executed when other users (including visitors) access the affected page. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

A successful attack allows a malicious actor to inject arbitrary HTML and malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when they visit the compromised site, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

The vendor has released version 2.9.10 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].