CVE-2026-32430 in PowerPack Addons for Elementor Plugin
Summary
by MITRE • 03/13/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IdeaBox Creations PowerPack Addons for Elementor powerpack-lite-for-elementor allows Stored XSS.This issue affects PowerPack Addons for Elementor: from n/a through <= 2.9.9.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2026-32430 represents a critical cross-site scripting flaw within the PowerPack Addons for Elementor plugin, specifically impacting the powerpack-lite-for-elementor component. This weakness enables attackers to inject malicious scripts into web pages that are subsequently executed by other users, creating a persistent security risk for websites utilizing this popular WordPress plugin. The vulnerability falls under the category of improper input neutralization during web page generation, which directly aligns with CWE-79 - Cross-site Scripting. The affected version range indicates that all versions up to and including 2.9.9 remain vulnerable, suggesting this flaw has persisted for an extended period within the plugin's codebase.
The technical implementation of this vulnerability stems from inadequate sanitization of user input within the plugin's content generation processes. When administrators or users create content using PowerPack Addons for Elementor, the plugin fails to properly escape or filter malicious script code that may be embedded within input fields or content parameters. This allows attackers to store malicious payloads that execute whenever legitimate users view pages containing the compromised content. The stored nature of this XSS vulnerability means that once the malicious code is injected into the system, it remains active and executable for all users who access the affected web pages without requiring additional interaction from the victim.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration. Attackers can leverage this vulnerability to steal administrator credentials, modify website content, redirect users to malicious sites, or inject additional malware into the compromised environment. The severity is amplified by the fact that PowerPack Addons for Elementor is a widely used plugin, increasing the potential attack surface and the number of vulnerable websites. This vulnerability directly maps to ATT&CK technique T1531 - Account Access Removal and T1071.001 - Application Layer Protocol: Web Protocols, as it enables unauthorized access to user sessions and web application manipulation.
Organizations and website administrators should immediately implement comprehensive mitigation strategies to address this vulnerability. The primary and most effective solution involves updating to the latest version of PowerPack Addons for Elementor where the XSS vulnerability has been patched. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, while regular input validation and sanitization procedures should be enforced across all user-facing content management systems. Network monitoring and intrusion detection systems should be configured to identify potential exploitation attempts, and regular security audits should be conducted to ensure no malicious code has been injected into affected websites. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies to protect web applications from persistent threats.