📄 Description (English)
The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.
🤖 AI Executive Summary
Master Addons For Elementor plugin versions up to 3.1.0 contain a Stored XSS vulnerability in the Custom JS Extension that allows authenticated author-level users to inject arbitrary JavaScript code into pages. The vulnerability bypasses UI-level restrictions through direct POST requests to admin-ajax.php, enabling persistent script execution whenever users access affected pages. This poses a significant risk to WordPress sites using this popular page builder plugin, particularly in multi-user environments where author accounts may be compromised or untrusted.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 06:45
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with Master Addons For Elementor face significant risk, particularly in government digital transformation initiatives, banking sector websites, healthcare portals, and e-commerce platforms. Government agencies under NCA oversight and SAMA-regulated financial institutions are especially vulnerable if they employ this plugin for website management. The vulnerability is particularly concerning for organizations with multiple content authors or those managing customer-facing portals, as compromised author accounts could inject malicious scripts affecting end-users. Saudi telecom and media companies using this plugin for content management systems are also at elevated risk.
🏢 Affected Saudi Sectors
Government & Public Administration
Banking & Financial Services
Healthcare & Medical Services
Energy & Utilities
Telecommunications
E-commerce & Retail
Media & Publishing
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Disable the Master Addons For Elementor plugin immediately until a patched version is available
2. Audit all pages and posts created/modified with this plugin for suspicious JavaScript in Custom JS settings
3. Review admin-ajax.php access logs for POST requests with action=elementor_ajax from author-level accounts
4. Revoke author-level access for untrusted or inactive user accounts
5. Implement Web Application Firewall (WAF) rules to block POST requests to admin-ajax.php?action=elementor_ajax containing 'jtlma_custom_js' parameters
DETECTION RULES:
- Monitor WordPress database for 'jtlma_custom_js' meta keys containing <script> tags or javascript: protocols
- Alert on POST requests to /wp-admin/admin-ajax.php with action=elementor_ajax and jtlma_custom_js parameters
- Track user activity logs for author-level accounts making direct AJAX calls
COMPENSATING CONTROLS:
- Implement strict Content Security Policy (CSP) headers to prevent inline script execution
- Use WordPress security plugins to monitor and log all AJAX requests
- Restrict author-level capabilities to trusted personnel only
- Enable two-factor authentication for all administrative accounts
- Regularly scan page content for injected scripts using security scanning tools
PATCHING GUIDANCE:
- Monitor the plugin's GitHub repository and official WordPress plugin page for version 3.1.1 or later
- Test patches in staging environment before production deployment
- After patching, conduct full site audit for existing malicious injections
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تعطيل مكون إضافي Master Addons For Elementor فوراً حتى يتوفر إصدار معدل
2. تدقيق جميع الصفحات والمنشورات التي تم إنشاؤها/تعديلها باستخدام هذا المكون الإضافي بحثاً عن JavaScript مريب في إعدادات Custom JS
3. مراجعة سجلات وصول admin-ajax.php لطلبات POST من حسابات على مستوى المؤلف
4. إلغاء وصول المؤلف لحسابات المستخدمين غير الموثوقة أو غير النشطة
5. تنفيذ قواعد جدار الحماية لتطبيقات الويب (WAF) لحظر طلبات POST إلى admin-ajax.php?action=elementor_ajax التي تحتوي على معاملات 'jtlma_custom_js'
قواعد الكشف:
- مراقبة قاعدة بيانات WordPress بحثاً عن مفاتيح 'jtlma_custom_js' تحتوي على علامات <script> أو بروتوكولات javascript:
- تنبيه على طلبات POST إلى /wp-admin/admin-ajax.php مع action=elementor_ajax ومعاملات jtlma_custom_js
- تتبع سجلات نشاط المستخدم لحسابات على مستوى المؤلف التي تقوم بطلبات AJAX مباشرة
الضوابط البديلة:
- تنفيذ رؤوس سياسة أمان المحتوى (CSP) صارمة لمنع تنفيذ البرامج النصية المضمنة
- استخدام مكونات إضافية أمان WordPress لمراقبة وتسجيل جميع طلبات AJAX
- تقييد قدرات المؤلف للأشخاص الموثوقين فقط
- تفعيل المصادقة متعددة العوامل لجميع الحسابات الإدارية
- فحص محتوى الصفحة بانتظام بحثاً عن البرامج النصية المحقونة باستخدام أدوات الفحص الأمني
إرشادات التصحيح:
- مراقبة مستودع GitHub للمكون الإضافي والصفحة الرسمية لمكون WordPress بحثاً عن الإصدار 3.1.1 أو أحدث
- اختبار التصحيحات في بيئة التدريج قبل نشرها في الإنتاج
- بعد التصحيح، إجراء تدقيق كامل للموقع بحثاً عن الحقن الضار الموجود
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.5.23 - Access control for information systems
ECC 2024 A.8.3.2 - Segregation of duties
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
Governance & Risk Management - GRM-2: Information Security Risk Management
Governance & Risk Management - GRM-3: Third-party Risk Management
Protection & Resilience - PR-1: Access Control
Protection & Resilience - PR-3: Data Protection
Detection & Response - DR-1: Monitoring and Detection
🟡 ISO 27001:2022
A.5.15 - Access control
A.5.16 - Authentication
A.8.22 - Monitoring
A.8.23 - Web application security
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 1.1.2 - Firewall configuration standards
Requirement 6.5.1 - Injection flaws
Requirement 6.5.7 - Cross-site scripting (XSS)
Requirement 6.2 - Security patches and updates
Requirement 7.1 - Limit access to system components
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utiliti...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=355681...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b8e052a-6e60-4455-96c9-b2a3e...
security@wordfence.com