CVE-2026-6048 is a stored cross-site scripting vulnerability in the Flipbox Addon for Elementor WordPress plugin, affecting all versions up to 2.1.1. The issue arises from insufficient validation of custom attribute names in the Flipbox widget's button URL custom_attributes field. The plugin uses esc_html() on attribute names, which does not prevent injection of event handler attributes such as 'onclick' or 'onmouseover'. This allows authenticated users with author-level access or higher to inject arbitrary JavaScript that executes when the page is viewed. The vulnerability has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No patch or official remediation is currently documented.

An attacker with author-level or higher privileges can inject malicious scripts into pages via the vulnerable custom_attributes field. These scripts execute in the context of users who view the affected pages, potentially leading to session hijacking, defacement, or other client-side attacks. The impact is limited to confidentiality and integrity with no availability impact. The vulnerability requires authenticated access and does not require user interaction to trigger once the malicious content is stored and viewed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict author-level access to trusted users only and consider disabling or removing the Flipbox Addon for Elementor plugin if possible. Monitor for updates from the vendor and apply patches promptly once available.