Vulnerabilities ›

CVE-2026-2949

Medium

CWE-79 — Weakness Type

                    Published: Apr 4, 2026                      ·  Modified: Apr 7, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Xpro Addons plugin for WordPress contains a Stored XSS vulnerability in the Icon Box widget that allows authenticated contributors to inject malicious scripts. These scripts execute when users access affected pages, potentially compromising website integrity and user data.

📄 Description (Arabic)

يحتوي مكون Xpro Addons على ثغرة Stored XSS في أداة Icon Box تسمح للمستخدمين المصرحين برفع محتوى بحقن نصوص برمجية ضارة. تُنفذ هذه النصوص عند وصول المستخدمين إلى الصفحات المتأثرة، مما قد يؤدي إلى سرقة بيانات المستخدمين أو تعديل محتوى الموقع.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 07:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1598 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update Xpro Addons plugin to version 1.4.25 or later immediately. Restrict contributor-level access to trusted users only. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads. Conduct security audit of all pages created with Icon Box widget for malicious content.

🔧 خطوات المعالجة (العربية)

قم بتحديث مكون Xpro Addons إلى الإصدار 1.4.25 أو أحدث فوراً. قيّد وصول مستوى المساهم للمستخدمين الموثوقين فقط. طبّق قواعد جدار الحماية لتطبيقات الويب للكشف عن حمولات XSS. أجرِ تدقيق أمني لجميع الصفحات المنشأة باستخدام أداة Icon Box للتحقق من المحتوى الضار.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.7.1.1 A.7.1.2 A.12.2.1

🔵 SAMA CSF

ID.GV-1 PR.AC-1 PR.DS-1

🟡 ISO 27001:2022

A.6.1.1 A.7.1.1 A.7.1.2 A.12.2.1 A.14.2.1

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3470049/xpro-elementor-addons

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/a1192c12-a898-46d9-9eee-6f611...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-04-04

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-2949

💬 Comments

Introduce Yourself

Sign In Required