📄 Description (English)
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
The Xpro Addons plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Image Scroller widget that allows authenticated contributors to inject malicious scripts into pages. This vulnerability affects all versions up to 1.4.24 and has no available patch. While requiring contributor-level access limits immediate risk, compromised accounts or insider threats could exploit this to deface websites or steal user data from Saudi organizations using WordPress.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 14, 2026 00:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations most at risk include: (1) Government agencies and municipalities using WordPress for public-facing portals and content management; (2) Banking and financial services sector websites and customer portals; (3) Healthcare institutions managing patient information portals; (4) E-commerce and retail businesses; (5) Educational institutions and universities. The vulnerability is particularly concerning for organizations with multiple content contributors or outsourced content management teams, as compromised contributor accounts could inject malware or phishing content targeting Saudi users.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
E-commerce and Retail
Education and Universities
Telecommunications
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using Xpro Addons plugin and identify current version
2. Review contributor and editor user accounts for suspicious activity and recent changes
3. Audit all pages using the Image Scroller widget for unauthorized script injections
4. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in widget attributes
COMPENSATING CONTROLS (until patch available):
5. Restrict contributor-level access to only trusted personnel; implement principle of least privilege
6. Disable the Image Scroller widget if not actively used
7. Implement Content Security Policy (CSP) headers to prevent inline script execution
8. Enable WordPress security plugins with XSS detection capabilities
9. Implement regular automated security scanning of WordPress database for malicious scripts
10. Monitor admin activity logs for unauthorized widget modifications
DETECTION RULES:
- Monitor wp_postmeta table for suspicious script content in Image Scroller widget attributes
- Alert on any modifications to posts/pages containing Image Scroller widgets by non-admin users
- Log and review all contributor-level user account creations and permission changes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Xpro Addons وتحديد الإصدار الحالي
2. مراجعة حسابات المستخدمين على مستوى المساهم والمحرر للنشاط المريب والتغييرات الأخيرة
3. تدقيق جميع الصفحات التي تستخدم أداة Image Scroller للحقن النصي غير المصرح به
4. تنفيذ قواعد جدار الحماية لتطبيقات الويب (WAF) للكشف عن حقن XSS وحجبها
الضوابط التعويضية (حتى توفر التصحيح):
5. تقييد وصول المساهم إلى الموظفين الموثوقين فقط؛ تنفيذ مبدأ أقل امتياز
6. تعطيل أداة Image Scroller إذا لم تكن قيد الاستخدام النشط
7. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
8. تفعيل مكونات أمان WordPress مع قدرات الكشف عن XSS
9. تنفيذ فحص أمان آلي منتظم لقاعدة بيانات WordPress للبحث عن برامج نصية ضارة
10. مراقبة سجلات نشاط المسؤول للتعديلات غير المصرح بها على الأداة
قواعد الكشف:
- مراقبة جدول wp_postmeta للمحتوى النصي المريب في سمات أداة Image Scroller
- التنبيه على أي تعديلات على المنشورات/الصفحات التي تحتوي على أدوات Image Scroller من قبل مستخدمين غير المسؤولين
- تسجيل ومراجعة جميع إنشاءات حسابات المستخدمين على مستوى المساهم وتغييرات الأذونات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.5.23 - Access control and user management
ECC 2024 A.6.12 - Secure development and change management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.DS-2 - Data security and protection
SAMA CSF DE.CM-1 - Detection and monitoring of security events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.5.16 - Identification and authentication
ISO 27001:2022 A.8.22 - Monitoring
ISO 27001:2022 A.8.23 - Web application security
🟣 PCI DSS v4.0.1
PCI DSS 6.5.7 - Cross-site scripting prevention
PCI DSS 7.1 - Limit access to system components by business need to know