Platform
wordpress
Component
master-addons
Fixed in
2.1.2
CVE-2026-2486 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Master Addons For Elementor plugin. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious web scripts into pages. These scripts execute whenever a user accesses the compromised page. The vulnerability affects versions 2.1.1 and earlier, and it is fixed in version 2.1.2.
CVE-2026-2486 affects the Master Addons For Elementor plugin, enabling a stored Cross-Site Scripting (XSS) attack. An authenticated attacker with contributor-level access or higher can inject malicious JavaScript code through the 'maelbhtablebtn_text' parameter. This code will execute in the browser of any user accessing the compromised page, potentially leading to cookie theft, redirection to malicious websites, or modification of page content. The issue is rated as 6.4 on the CVSS scale, indicating a medium-high risk. The vulnerability stems from insufficient input sanitization and output escaping, allowing script injection.
An attacker with contributor or higher access on a website using the Master Addons For Elementor plugin can exploit this vulnerability. The attacker can inject malicious JavaScript code into a page via the 'maelbhtablebtn_text' parameter. When a user accesses that page, the JavaScript code executes in their browser. The ease of exploitation, combined with the potential to affect any user visiting the page, makes this vulnerability concerning. Monitor website logs for suspicious activity related to script injection.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the Master Addons For Elementor plugin to version 2.1.2 or higher. This update includes the necessary fixes to properly sanitize and escape user input, preventing the injection of malicious code. It is highly recommended to perform this update as soon as possible to protect your website from potential XSS attacks. Additionally, review existing pages for any injections that may have occurred before the update and remove them. Implementing a strong password security policy and limiting user privileges also helps mitigate the risk.
Update to version 2.1.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the browsers of users visiting the website, potentially allowing attackers to steal sensitive information or perform actions on behalf of the user.
If you are using a version prior to 2.1.2 of the Master Addons For Elementor plugin, you are likely affected. Review your website pages for suspicious JavaScript code injected into the 'maelbhtablebtn_text' parameter.
Immediately update the plugin to version 2.1.2 or higher. Review website pages for malicious code and remove it. Consider changing the passwords of all administrator or editor users.
Yes, there are several XSS vulnerability scanning tools, both free and paid. These tools can help identify potential vulnerabilities in your website.
Keep all your plugins and themes updated. Implement a strong password security policy. Limit user privileges. Use a web application firewall (WAF) to protect your website from attacks.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.