{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6048", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-09T19:32:35.200Z", "datePublished": "2026-04-18T03:37:05.751Z", "dateUpdated": "2026-04-18T03:37:05.751Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-18T03:37:05.751Z"}, "affected": [{"vendor": "dragwyb", "product": "Flipbox Addon for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6ad51-7b3b-4fe1-95fa-e9b63943d533?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.1/widget/simple/ufae-frontend/class-ufae-frontend-item.php#L250"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.1/widget/stories/ufae-frontend/class-ufae-frontend-loop.php#L248"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.2/widget/simple/ufae-frontend/class-ufae-frontend-item.php#L263"}, {"url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.2/widget/stories/ufae-frontend/class-ufae-frontend-loop.php#L253"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-04-13T18:14:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-17T14:40:16.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-6048", "lastModified": "2026-04-18T05:16:24.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-18T05:16:24.157", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.1/widget/simple/ufae-frontend/class-ufae-frontend-item.php#L250"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.1/widget/stories/ufae-frontend/class-ufae-frontend-loop.php#L248"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.2/widget/simple/ufae-frontend/class-ufae-frontend-item.php#L263"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ultimate-flipbox-addon-for-elementor/tags/2.1.2/widget/stories/ufae-frontend/class-ufae-frontend-loop.php#L253"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/faa6ad51-7b3b-4fe1-95fa-e9b63943d533?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:39:05.355323+00:00", "value": {"mitigation_remediation": ["Update the Flipbox Addon for Elementor plugin to version 2.1.2 or later, which removes the unfiltered custom_attributes field.", "If an update is not immediately possible, configure a web application firewall or custom sanitization rule to strip or refuse event\u2011handler attributes such as onmouseover, onclick, onload, etc., from the custom_attributes field before rendering the page.", "Restrict author or higher roles from editing or inserting custom attributes where possible, or disable the feature entirely if not required for the site\u2019s functionality."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Flipbox Addon for Elementor plugin version 2.1.1 or earlier installed. The affected vendor is dragwyb, and the vulnerability applies to all releases up to and including 2.1.1.", "description_and_impact": "The Flipbox Addon for Elementor plugin for WordPress contains a stored cross\u2011site scripting vulnerability. Unvalidated custom attribute names in the widget\u2019s button URL field allow an attacker with author\u2011level or higher access to embed malicious scripts. The injected code is stored in the page and will execute in the browsers of all users who view the affected page, potentially compromising credentials, defacing content, or facilitating further attacks. The weakness stems from using esc_html() on the attribute name, which does not filter event\u2011handler attributes such as onmouseover or onclick.", "risk_and_exploitability": "The flaw has a CVSS score of 6.4, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access at author level or higher; once the attacker supplies malicious attributes, the script is persisted and will run whenever an affected page is accessed by any user. Because the vulnerability is stored, repeated exposure can amplify the impact. Prompt remediation is advised to prevent untrusted content from being rendered."}}}}, "created": "2026-04-18T08:45:41.378444+00:00", "updated": "2026-04-18T08:45:41.378456+00:00", "vendors": []}