CVE-2026-11614 xpro CVE debrief

Who should care

WordPress administrators and users of the Xpro Addons — 140+ Widgets for Elementor plugin should be aware of this vulnerability. The vulnerability requires author-level access and above, making it a concern for users with elevated privileges. Users should ensure they are running a patched version of the plugin to prevent exploitation.

Technical summary

The Xpro Addons — 140+ Widgets for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping in the 'custom_attributes' parameter. The vulnerability exists in all versions up to and including 1.7.2. An authenticated attacker with author-level access and above can inject arbitrary web scripts, which will execute when a user accesses an injected page. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Defensive priority

Medium priority should be given to patching this vulnerability, as it requires authenticated access with author-level privileges and above. However, defenders should be cautious as the vulnerability can still cause significant damage if exploited.

Recommended defensive actions

• Patch the Xpro Addons — 140+ Widgets for Elementor plugin to a version beyond 1.7.2.
• Review and limit user privileges to prevent unnecessary elevated access.
• Monitor for suspicious activity related to the plugin.
• Consider implementing additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
• Regularly update and audit plugins and themes for known vulnerabilities.

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Multiple source references from Wordfence offer additional context and affected code locations. However, some details about the vendor and affected scope are unclear or marked as 'low' confidence.

Official resources