CVE-2026-2486 in Master Addons for Elementor Plugin
Summary
by MITRE • 02/20/2026
The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2026-2486 affects the Master Addons For Elementor plugin, a popular WordPress extension that enhances the functionality of the Elementor page builder. This particular flaw exists in versions up to and including 2.1.1, representing a significant security risk for WordPress sites that utilize this plugin. The vulnerability manifests as a stored cross-site scripting issue that can be exploited by attackers who have already gained contributor-level access or higher privileges within the WordPress environment. The security implications are particularly concerning because the attack vector involves a parameter named 'ma_el_bh_table_btn_text' which is used within the plugin's functionality for handling table button text elements.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When an authenticated attacker with contributor privileges or higher submits malicious input through the 'ma_el_bh_table_btn_text' parameter, the plugin fails to properly validate or sanitize this input before storing it in the database. This stored data is then subsequently rendered on pages without adequate escaping, allowing malicious scripts to execute in the context of other users who view these pages. The vulnerability classification aligns with CWE-79 which specifically addresses cross-site scripting flaws, and more particularly with CWE-116 which deals with improper encoding or escaping of output. The attack requires minimal privileges since contributors can already create and modify content, making this a particularly dangerous flaw for sites where contributor accounts may be compromised or where privilege escalation occurs.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform a range of malicious activities including but not limited to cookie theft, session hijacking, and redirection to malicious websites. Since the vulnerability affects stored content, the malicious scripts will execute every time a user accesses a page containing the injected content, potentially affecting multiple users over an extended period. This makes the vulnerability particularly dangerous for sites with high user traffic or those where contributors have access to sensitive content areas. The exploitation of this vulnerability can lead to complete compromise of user sessions and potentially provide attackers with access to sensitive site data or functionality. This aligns with several tactics described in the MITRE ATT&CK framework under T1566 for credential access and T1059 for command and control through malicious code execution.
Mitigation strategies for CVE-2026-2486 should begin with immediate patching of the affected plugin to the latest version where this vulnerability has been addressed. WordPress administrators should also implement additional security measures including regular monitoring of contributor activities, implementing role-based access controls, and conducting security audits of all installed plugins. The vulnerability highlights the importance of proper input validation and output escaping practices in web application development, particularly for plugins that handle user-generated content. Security professionals should also consider implementing content security policies and web application firewalls as additional defensive measures. Organizations should prioritize updating all instances of the Master Addons For Elementor plugin to versions that have been verified as free from this vulnerability, while also maintaining awareness of similar issues in other plugins that may present similar security flaws through inadequate sanitization practices.