cleantalk
Vulnerabilities and Security Researches

130+ Widgets | Best Addons For Elementor – FREE, CVE-2026-11614

CVE, Research URL

CVE-2026-11614

Home page URL

Security reports for 130+ Widgets | Best Addons For Elementor – FREE

Application

130+ Widgets | Best Addons For Elementor – FREE

Published on
Jun 24, 2026
Research Description
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.7.3.
Status
vulnerable
Previous vulnerability researches
CM Download Manager – Document and File Management (CVE-2025-24758) , Feb 19, 2025
CM Download Manager – Document and File Management (CVE-2020-27344) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2014-8877) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2024-1962) , Jun 06, 2024
CM Download Manager – Document and File Management (CVE-2014-9129) , Jun 06, 2024
New vulnerability
Five Star Restaurant Reservations – WordPress Booking Plugin (CVE-2026-54830) , Jun 25, 2026
MapPress Maps for WordPress (CVE-2026-56011) , Jun 25, 2026
WP Photo Album Plus (CVE-2026-54829) , Jun 25, 2026
Infility Global (CVE-2026-7842) , Jun 25, 2026
Infility Global (CVE-2026-8163) , Jun 25, 2026