The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever [truncated]
A missing capability check in the Xpro Addons for Elementor WordPress plugin allows unauthenticated attackers to create published templates. The vulnerability exists in the `get_content_editor` function through version 1.5.0. No authentication is required to exploit this flaw, which could lead to unauthorized content injection on affected sites. The issue was disclosed on 2026-05-20 with a CVSS 3.1 score [truncated]