CVE-2026-6048

Name of the Vulnerable Software and Affected Versions Flipbox Addon for Elementor versions prior to 2.1.2

Description Insufficient validation of custom attribute names in the Flipbox widget's button URL custom attributes field allows authenticated attackers with author-level access and above to inject arbitrary web scripts. The plugin uses esc html() on the attribute name, which fails to prevent the use of event handler attributes such as onmouseover or onclick. These scripts execute whenever a user accesses an affected page.

Recommendations Update to a version later than 2.1.1.