– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2486:
The Master Addons For Elementor plugin for WordPress, versions up to and including 2.1.1, contains an authenticated stored cross-site scripting (XSS) vulnerability. This vulnerability allows attackers with contributor-level or higher permissions to inject arbitrary JavaScript into pages, which executes when a user views the compromised page. The CVSS score of 6.4 reflects the requirement for authentication and the impact of stored XSS.

Atomic Edge research identifies the root cause as insufficient output escaping for user-supplied input in multiple plugin components. The vulnerability specifically affects the ‘ma_el_bh_table_btn_text’ parameter in the business hours widget, located in `/master-addons/addons/ma-business-hours/ma-business-hours.php` at lines 1684, 1697, and 1709. The plugin echoes the parameter value directly without proper escaping. The `parse_text_editor()` function processes several other parameters across different widgets, but the output lacks adequate escaping in multiple locations, as shown in the diff.

Exploitation requires an authenticated attacker with at least contributor-level access to WordPress. The attacker creates or edits a post or page using the Elementor editor, adds a vulnerable Master Addons widget (such as the Business Hours widget), and inserts a malicious JavaScript payload into the vulnerable parameter field (e.g., ‘ma_el_bh_table_btn_text’). When the page is saved and subsequently viewed by any user, the injected script executes in the victim’s browser context. The attack vector is the Elementor editor interface, which accepts and stores the unsanitized input.

The patch in version 2.1.2 addresses the vulnerability by applying proper output escaping functions. For the primary ‘ma_el_bh_table_btn_text’ parameter, the fix wraps the output with `esc_html()` on lines 1684, 1697, and 1709 in `ma-business-hours.php`. For other affected parameters, the patch applies either `esc_html()` or `wp_kses_post()` depending on the expected content. The `wp_kses_post()` function allows a limited set of HTML tags while stripping dangerous scripts, while `esc_html()` converts all special characters to HTML entities, preventing script execution. Before the patch, the plugin directly echoed user input. After the patch, all output is properly escaped before rendering.

Successful exploitation leads to stored cross-site scripting attacks. An attacker can steal session cookies, perform actions on behalf of authenticated users, deface websites, or redirect users to malicious sites. Since the payload is stored in the database, it affects all users who view the compromised page. The attacker’s required contributor-level access is a common permission for many WordPress sites, increasing the potential attack surface.