Security Alert Summary
The Master Addons For Elementor plugin contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users with contributor-level access or higher to inject JavaScript via a plugin parameter. Injected scripts are stored and will execute when other users view the affected page.
CVE Details
- CVE ID: CVE-2026-2486
- Affected plugin / component: Master Addons For Elementor plugin for WordPress
- Affected versions: Versions up to and including 2.1.1
- Published: February 20, 2026 at 12:16:16 PM
- Last modified: February 20, 2026 at 1:49:47 PM
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User Interaction: Authentication required — an authenticated attacker with contributor-level access or higher. Privileges Required: LOW. User Interaction: NONE.
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE / Weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the ma_el_bh_table_btn_text parameter. When an authenticated user with contributor-level access or higher supplies crafted input for this parameter, the plugin stores the injected payload. The stored script is then delivered to and executed in the browser context of any user who loads the page containing the injected content.
The CVE entry specifies the problematic parameter and indicates that the root cause is missing or inadequate sanitization and escaping. As a stored XSS, the attack does not require additional user interaction once the malicious content is placed: any subsequent page view that renders the injected content will run the script in the viewer’s browser.
How This Could Impact Your Website
In a realistic site scenario, a site owner manages plugin installs while internal staff create and edit content and an external contractor contributes pages or templates. If an authenticated contributor or higher can inject JavaScript via the noted parameter, that script could run in the browsers of site administrators, editors, or other staff who view the compromised page. Practical consequences include exposure of session tokens or internal user data accessible to scripts, and disclosure of user-visible information such as email addresses that could increase the risk of targeted phishing or social engineering.
The impact aligns with the CVSS assessment: confidentiality and integrity impacts are rated low, and availability is not affected. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE notes versions up to and including 2.1.1 are affected.)
- Review and reduce unnecessary user roles, especially contributor accounts and other roles that allow content changes.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and audit content edits for unusual behavior or unexpected script insertions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
