📄 Description (English)
The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Style Kits plugin for WordPress affecting versions up to 2.5.0. Authenticated contributors can inject malicious scripts via the kit title parameter that execute for all users accessing affected pages. With no patch currently available, this poses a moderate risk to WordPress installations using this popular Elementor enhancement plugin.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 27, 2026 07:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with Elementor for web presence (government agencies, educational institutions, e-commerce platforms, and digital marketing agencies) are at risk. The vulnerability primarily affects organizations with multiple content contributors, where insider threats or compromised contributor accounts could inject malicious scripts affecting customer-facing pages. Banking and financial services websites using this plugin face elevated risk due to potential credential theft or session hijacking. Government digital transformation initiatives utilizing WordPress-based portals are also vulnerable.
🏢 Affected Saudi Sectors
E-commerce and Retail
Government and Public Sector
Education
Healthcare
Banking and Financial Services
Digital Marketing and Advertising Agencies
Media and Publishing
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all WordPress installations using Style Kits plugin and identify version numbers
2. Restrict contributor-level access to only trusted personnel; review user roles and permissions
3. Disable the '/wp-json/agwp/v1/tokens/save' endpoint if not actively used via Web Application Firewall (WAF) rules
4. Implement Content Security Policy (CSP) headers to mitigate XSS impact
Patching Guidance:
1. Monitor plugin repository for version 2.5.1 or later release
2. Consider temporary deactivation of Style Kits plugin until patch is available
3. If deactivation is not feasible, implement input validation at WAF level
Compensating Controls:
1. Deploy WordPress security plugins (Wordfence, Sucuri) with XSS detection rules
2. Enable WordPress REST API authentication restrictions
3. Implement regular security audits of kit titles and stored content
4. Use Web Application Firewall rules to sanitize input to the vulnerable endpoint
Detection Rules:
1. Monitor REST API logs for POST requests to '/wp-json/agwp/v1/tokens/save'
2. Alert on kit title parameters containing script tags, event handlers (onclick, onerror), or encoded payloads
3. Review WordPress post meta and option tables for suspicious JavaScript in agwp-related entries
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Style Kits وتحديد أرقام الإصدارات
2. تقييد الوصول على مستوى المساهم للموظفين الموثوقين فقط؛ مراجعة أدوار وأذونات المستخدمين
3. تعطيل نقطة النهاية '/wp-json/agwp/v1/tokens/save' إذا لم تكن قيد الاستخدام النشط عبر قواعد جدار الحماية
4. تنفيذ رؤوس سياسة أمان المحتوى (CSP) للتخفيف من تأثير XSS
إرشادات التصحيح:
1. مراقبة مستودع المكون لإصدار 2.5.1 أو إصدار أحدث
2. النظر في تعطيل مؤقت لمكون Style Kits حتى يتوفر التصحيح
3. إذا لم يكن التعطيل ممكناً، قم بتنفيذ التحقق من الإدخال على مستوى جدار الحماية
الضوابط البديلة:
1. نشر مكونات أمان WordPress (Wordfence, Sucuri) مع قواعد كشف XSS
2. تفعيل قيود المصادقة لـ WordPress REST API
3. تنفيذ عمليات تدقيق أمان منتظمة لعناوين المجموعات والمحتوى المخزن
4. استخدام قواعد جدار الحماية لتنظيف الإدخال إلى نقطة النهاية الضعيفة
قواعد الكشف:
1. مراقبة سجلات REST API لطلبات POST إلى '/wp-json/agwp/v1/tokens/save'
2. التنبيه على معاملات عنوان المجموعة التي تحتوي على علامات النصوص البرمجية أو معالجات الأحداث أو الحمولات المشفرة
3. مراجعة جداول WordPress post meta و option للبحث عن JavaScript مريب في إدخالات agwp
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.6.1.1 - Information security roles and responsibilities
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF 2.1 - Governance and Risk Management
SAMA CSF 3.2 - Information and Communications Technology (ICT) Security
SAMA CSF 3.2.1 - Access Control and Authentication
SAMA CSF 3.2.3 - Data Protection and Privacy
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.6.1 - Organization of information security
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.3 - Access control
ISO 27001:2022 A.14.2 - Supplier relationships
🟣 PCI DSS v4.0.1
PCI DSS 6.5.7 - Cross-site scripting (XSS)
PCI DSS 6.2 - Security patches and updates
PCI DSS 7.1 - Limit access to system components