PatchSiren

xpro CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM xpro CVE published 2026-06-24

CVE-2026-11614

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever [truncated]

MEDIUM xpro CVE published 2026-05-20

CVE-2025-15369

A missing capability check in the Xpro Addons for Elementor WordPress plugin allows unauthenticated attackers to create published templates. The vulnerability exists in the `get_content_editor` function through version 1.5.0. No authentication is required to exploit this flaw, which could lead to unauthorized content injection on affected sites. The issue was disclosed on 2026-05-20 with a CVSS 3.1 score [truncated]