Skip to content
Verified JetWidgets For Elementor Stored XSS via Animated Box animation_effect
REPRO-2026-00203 XSS Jul 2, 2026 .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 29m 27s
Tool calls 176
Spend $2.03
$ pruva-verify REPRO-2026-00203
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00203/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.