CVE-2026-3034 in OoohBoi Steroids for Elementor Plugin
Summary
by MITRE • 03/05/2026
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-3034 affects the OoohBoi Steroids for Elementor WordPress plugin, specifically targeting versions up to and including 2.1.24. This represents a critical security flaw that exploits stored cross-site scripting mechanisms within the plugin's functionality. The vulnerability manifests through three distinct URL parameters: _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link, which are processed without adequate input validation or sanitization. Attackers with Contributor-level access or higher can leverage this weakness to inject malicious scripts that persist within the plugin's data storage, making it a stored XSS vulnerability rather than a reflected one.
The technical flaw resides in the plugin's insufficient validation of user-supplied input parameters that are intended for URL handling within the Elementor page builder environment. When these parameters are processed and stored in the WordPress database, they fail to undergo proper sanitization or escaping before being rendered in subsequent page requests. This allows attackers to craft malicious payloads that are executed in the context of other users' browsers when they interact with pages containing the compromised elements. The vulnerability's impact is amplified by the fact that it requires only Contributor-level privileges, which are commonly granted to content authors and editors in WordPress installations, making exploitation more feasible in real-world scenarios.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities. Once a user clicks on an injected element, the malicious scripts can steal session cookies, redirect users to phishing sites, modify page content, or even execute commands on behalf of the victim user. This poses significant risks to both site integrity and user data security, particularly in environments where multiple users with varying permission levels interact with the same WordPress installation. The stored nature of the vulnerability means that the malicious code persists until manually removed, creating a long-term threat vector that can affect numerous users over extended periods.
Organizations should immediately implement mitigations including updating to the latest version of the plugin where the vulnerability has been patched, as well as implementing strict input validation measures. Security practitioners should also consider implementing web application firewalls to detect and block suspicious parameter values, while conducting thorough audits of all installed plugins to identify similar vulnerabilities. From a compliance standpoint, this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and may be categorized under ATT&CK technique T1566 for social engineering through malicious content injection. Regular security assessments and privileged access reviews are essential to prevent unauthorized users from exploiting such weaknesses, particularly in environments where contributor-level accounts are commonly used for content management operations.