```
## Evidence
- `bundle/logs/reproduction_steps.log` — step-by-step console output from the reproduction run.
- `bundle/logs/insert.log` — page ID and permalink produced by the PHP insertion script.
- `bundle/logs/wordpress.log` — Apache/WordPress container logs.
- `bundle/logs/mysql.log` — MySQL container logs.
- `bundle/repro/artifacts/page.html` — full HTML body of the rendered published page.
- `bundle/repro/artifacts/page.headers` — HTTP response headers from the page request.
- `bundle/repro/artifacts/insert_page.php` — the PHP helper used to create the malicious page.
Key excerpt from `bundle/repro/artifacts/page.html` (line 229 in the reproduced output):
```html
```
This shows that the `animation_effect` value broke out of the `class` attribute and added new attributes, including the `onmouseover` event handler.
Environment details captured in the runtime manifest:
- WordPress 6.7 (PHP 8.1 / Apache)
- Elementor 3.27.5
- JetWidgets For Elementor 1.0.21
- MySQL 8.0
## Recommendations / Next Steps
1. **Upgrade:** Site owners should upgrade JetWidgets For Elementor to version 1.0.22 or later, which contains commit `49952dd92b2bbd59e6627e7b67b0b3621c3852a0`.
2. **Fix approach:**
- Server-side validation: reject any `animation_effect` value that is not in the defined list of allowed effects (e.g., `jw-box-effect-1` through `jw-box-effect-8`).
- Output escaping: render the value with `esc_attr()` before placing it inside the HTML `class` attribute.
3. **Testing recommendations:**
- Add unit/integration tests that save payloads containing `"`, `<`, `>`, and `javascript:` in the `animation_effect` setting and assert that the rendered HTML does not contain an unescaped attribute break or event handler.
- Test with the Elementor editor save flow as well as direct post-meta injection to ensure both paths are sanitized.
4. **Further verification:** The script could be extended to include a real browser engine (e.g., Playwright/Chromium) to demonstrate actual JavaScript execution on mouseover. The current proof is sufficient to confirm the server-side sink but not a live browser exploit.
## Additional Notes
- **Idempotency:** The reproduction script was executed twice consecutively from a clean state and succeeded both times. It cleans up all Docker containers and networks on exit via a `trap`.
- **Limitations:** The reproduction does not exercise the Elementor editor UI or the `admin-ajax.php` save endpoint. It sets the widget data directly in post meta. This is acceptable for proving the rendered-page vulnerability sink, but it does not reproduce the full author-workflow UI. The root cause is the same regardless of how the malicious value reaches the database.
- **No custom exploit code:** The reproduction uses the real WordPress, Elementor, and JetWidgets plugin code; no reimplementation of the vulnerability was used.
## Reproduction Details
Reproduced: 2026-07-02T19:28:31.975Z
Duration: 1767 seconds
Tool calls: 176
Turns: Unknown
Handoffs: 2
## Quick Verification
Run one of these commands to verify locally:
pruva-verify REPRO-2026-00203
pruva-verify CVE-2026-11380
Or open in GitHub Codespaces (zero-friction, auto-runs):
https://github.com/codespaces/new?ref=repro/REPRO-2026-00203&repo=N3mes1s/pruva-sandbox
Or download and run the script manually:
curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00203/artifacts/bundle/repro/reproduction_steps.sh
chmod +x reproduction_steps.sh
./reproduction_steps.sh
WARNING: Run in a sandboxed environment. This exploits a real vulnerability.
## References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11380
- Source: jetmonsters/jetwidgets-for-elementor
## Artifacts
- bundle/repro/reproduction_steps.sh (reproduction_script, 8199 bytes)
- bundle/repro/rca_report.md (analysis, 8471 bytes)
- bundle/vuln_variant/reproduction_steps.sh (reproduction_script, 8654 bytes)
- bundle/vuln_variant/rca_report.md (analysis, 11273 bytes)
- bundle/ticket.md (ticket, 725 bytes)
- bundle/ticket.json (other, 1110 bytes)
- bundle/repro/artifacts/insert_page.php (other, 1729 bytes)
- bundle/repro/artifacts/page.html (other, 58157 bytes)
- bundle/repro/artifacts/page.headers (other, 446 bytes)
- bundle/repro/runtime_manifest.json (other, 693 bytes)
- bundle/repro/validation_verdict.json (other, 843 bytes)
- bundle/logs/reproduction_steps.log (log, 3897 bytes)
- bundle/logs/wordpress.log (log, 2068 bytes)
- bundle/logs/mysql.log (log, 6492 bytes)
- bundle/logs/insert.log (log, 52 bytes)
- bundle/logs/vuln_variant/variant_reproduction.log (log, 3412 bytes)
- bundle/logs/vuln_variant/insert_vuln.log (log, 69 bytes)
- bundle/logs/vuln_variant/wordpress_vuln.log (log, 2191 bytes)
- bundle/logs/vuln_variant/mysql_vuln.log (log, 6492 bytes)
- bundle/logs/vuln_variant/insert_fixed.log (log, 70 bytes)
- bundle/logs/vuln_variant/wordpress_fixed.log (log, 2194 bytes)
- bundle/logs/vuln_variant/mysql_fixed.log (log, 6492 bytes)
- bundle/vuln_variant/artifacts/insert_vuln.php (other, 2228 bytes)
- bundle/vuln_variant/artifacts/insert_fixed.php (other, 2228 bytes)
- bundle/vuln_variant/artifacts/page_vuln.html (other, 58849 bytes)
- bundle/vuln_variant/artifacts/page_vuln.headers (other, 443 bytes)
- bundle/vuln_variant/artifacts/page_fixed.html (other, 58892 bytes)
- bundle/vuln_variant/artifacts/page_fixed.headers (other, 446 bytes)
- bundle/vuln_variant/patch_analysis.md (documentation, 7380 bytes)
- bundle/vuln_variant/runtime_manifest.json (other, 1101 bytes)
- bundle/vuln_variant/variant_manifest.json (other, 3140 bytes)
- bundle/vuln_variant/validation_verdict.json (other, 886 bytes)
- bundle/vuln_variant/source_identity.json (other, 1011 bytes)
- bundle/vuln_variant/root_cause_equivalence.json (other, 1316 bytes)
## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00203
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00203/artifacts/bundle/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00203
## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability
---
Generated by Pruva | https://pruva.dev