# REPRO-2026-00203: JetWidgets For Elementor Stored XSS via Animated Box animation_effect ## Summary Status: published Severity: medium Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00203 CVE: CVE-2026-11380 ## Package Name: Unknown Ecosystem: Unknown Affected: Unknown Fixed: Unknown ## Root Cause # RCA Report: CVE-2026-11380 — JetWidgets For Elementor Stored XSS ## Summary The JetWidgets For Elementor WordPress plugin (versions up to and including 1.0.21) is vulnerable to a stored cross-site scripting (Stored XSS) flaw in the Animated Box widget. The widget's `animation_effect` setting is printed directly into the HTML `class` attribute of the rendered widget without output escaping or server-side validation. An attacker who can supply a value containing a double quote can break out of the `class` attribute and inject arbitrary attributes, including event handlers such as `onmouseover="alert(1)"`. Because the payload is stored in the page and rendered whenever anyone visits the page, this is a stored XSS issue. The reproduction confirmed the payload in the published page HTML by deploying a real WordPress + Elementor + JetWidgets stack and viewing the rendered page. ## Impact - **Product / component:** `jetwidgets-for-elementor` (Crocoblock / jetmonsters) — specifically the `jw-animated-box` widget. - **Affected versions:** 1.0.21 and earlier (the WordPress.org repository still lists 1.0.21 as the current stable release at the time of the CVE). - **Risk level:** Medium. The vendor/Wordfence CVSS is reported as 6.4. - **Consequences:** Any authenticated user with at least the `author` role can save a page containing a malicious Animated Box widget. The injected JavaScript is stored in the page and executes in the browser of any visitor who views the page. ## Impact Parity - **Disclosed / claimed maximum impact:** Stored XSS via an author-level account in the Animated Box widget's `animation_effect` setting. - **Reproduced impact from this run:** A real WordPress environment was deployed with Elementor and JetWidgets 1.0.21. A published page was created with a malicious `animation_effect` value. The rendered page HTML contains the escaped attribute boundary break and the injected `style` and `onmouseover="alert(1)"` attributes. - **Parity:** `full` — the reproduction reaches the same rendered-page sink described in the advisory. - **Not demonstrated:** The reproduction does not run a full browser engine, so the JavaScript payload itself is not executed in the test environment. The proof relies on the presence of the injected event handler in the server-rendered HTML, which is the root cause of the stored XSS. ## Root Cause The vulnerability is in the widget's render template: ```php
``` The helper method chain ends up in `includes/base/class-jet-widgets-base.php`: ```php public function __render_html( $setting = null, $format = '%s' ) { ... printf( wp_kses_post( $format ), $val ); } ``` `wp_kses_post()` is applied to the format string `'%s'`, not to the value. Therefore the raw `animation_effect` value is printed verbatim inside the HTML `class` attribute. The UI control in `includes/addons/jet-widgets-animated-box.php` is a `