Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/essential-addons-for-elementor-lite_6.5.5/essential_adons_elementor.php 2026-01-16 00:20:08.724177297 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/essential_adons_elementor.php 2026-01-16 00:21:00.363418126 +0000@@ -4,14 +4,14 @@ * Description: The Essential plugin you install after Elementor! Packed with 100+ stunning elements like Data Table, Event Calendar, Filterable Gallery, WooCommerce. * Plugin URI: https://essential-addons.com/ * Author: WPDeveloper- * Version: 6.5.5+ * Version: 6.5.6 * Author URI: https://wpdeveloper.com/ * Text Domain: essential-addons-for-elementor-lite * Domain Path: /languages * * WC tested up to: 10.0- * Elementor tested up to: 3.33- * Elementor Pro tested up to: 3.33+ * Elementor tested up to: 3.34+ * Elementor Pro tested up to: 3.34 */ if (!defined('ABSPATH')) {@@ -27,7 +27,7 @@ define('EAEL_PLUGIN_BASENAME', plugin_basename(__FILE__)); define('EAEL_PLUGIN_PATH', trailingslashit(plugin_dir_path(__FILE__))); define('EAEL_PLUGIN_URL', trailingslashit(plugins_url('/', __FILE__)));-define('EAEL_PLUGIN_VERSION', '6.5.5');+define('EAEL_PLUGIN_VERSION', '6.5.6'); define('EAEL_ASSET_PATH', wp_upload_dir()['basedir'] . '/essential-addons-elementor'); define('EAEL_ASSET_URL', wp_upload_dir()['baseurl'] . '/essential-addons-elementor'); /**
Vulnerability Existed: no No vulnerabilities detected in this code diff. Explanation: This diff contains only version number and compatibility metadata updates: - Plugin version bumped from 6.5.5 to 6.5.6 - Elementor compatibility updated from 3.33 to 3.34 - WooCommerce tested version remains at 10.0 These are benign administrative changes with no security implications. No code logic modifications, input validation changes, authentication/authorization alterations, or dependency updates are present. The changes do not introduce, fix, or relate to any security vulnerabilities.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Adv_Accordion.php 2026-01-16 00:20:08.724177297 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Adv_Accordion.php 2026-01-16 00:21:00.779444216 +0000@@ -112,6 +112,7 @@ */ $this->init_content_general_controls(); $this->init_content_content_controls();+ do_action( 'eael_adv_accordion_media_type_controls', $this ); $this->init_content_promotion_controls(); /**@@ -131,19 +132,53 @@ 'label' => esc_html__('General Settings', 'essential-addons-for-elementor-lite'), ] );++ $image_path = EAEL_PLUGIN_URL . 'assets/admin/images/layout-previews/accordion-';+ $eael_accordion_layout = apply_filters(+ 'eael_adv_accordion_styles',+ [+ 'styles' => [+ 'accordion' => [+ 'title' => esc_html__( 'Accordion', 'essential-addons-for-elementor-lite' ),+ 'image' => $image_path . 'default.png'+ ],+ 'toggle' => [+ 'title' => esc_html__( 'Toggle', 'essential-addons-for-elementor-lite' ),+ 'image' => $image_path . 'toggle.png'+ ],+ 'accordion_media' => [+ 'title' => esc_html__( 'Accordion with Media (Pro)', 'essential-addons-for-elementor-lite' ),+ 'image' => $image_path . 'media.png'+ ],+ ],+ 'conditions' => ['accordion_media'],+ ]+ );+ $this->add_control( 'eael_adv_accordion_type', [ 'label' => esc_html__('Accordion Type', 'essential-addons-for-elementor-lite'),- 'type' => Controls_Manager::SELECT,+ 'type' => Controls_Manager::CHOOSE, 'default' => 'accordion',- 'label_block' => false,- 'options' => [- 'accordion' => esc_html__('Accordion', 'essential-addons-for-elementor-lite'),- 'toggle' => esc_html__('Toggle', 'essential-addons-for-elementor-lite'),+ 'label_block' => true,+ 'toggle' => false,+ 'image_choose'=> true,+ 'options' => $eael_accordion_layout['styles'],+ ]+ );++ $this->add_control(+ 'eael_adv_accordion_type_pro_alert',+ [+ 'label' => sprintf( '<a target="_blank" href="https://wpdeveloper.com/upgrade/ea-pro">%s</a>', esc_html__('Only Available in Pro Version!', 'essential-addons-for-elementor-lite')),+ 'type' => Controls_Manager::HEADING,+ 'condition' => [+ 'eael_adv_accordion_type' => $eael_accordion_layout['conditions'], ], ] );+ $this->add_control( 'eael_adv_accordion_title_tag', [@@ -163,6 +198,76 @@ ], ] );++ $this->add_control(+ 'eael_accordion_media_custom_animation',+ [+ 'label' => esc_html__( 'Animation', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SELECT,+ 'groups' => [+ [+ 'label' => esc_html__( 'None', 'essential-addons-for-elementor-lite' ),+ 'options' => [+ '' => esc_html__( 'None', 'essential-addons-for-elementor-lite' ),+ ],+ ],+ [+ 'label' => esc_html__( 'Slide', 'essential-addons-for-elementor-lite' ),+ 'options' => [+ 'slide-top' => esc_html__( 'Slide In Up', 'essential-addons-for-elementor-lite' ),+ 'slide-bottom' => esc_html__( 'Slide In Down', 'essential-addons-for-elementor-lite' ),+ 'slide-left' => esc_html__( 'Slide In Left', 'essential-addons-for-elementor-lite' ),+ 'slide-right' => esc_html__( 'Slide In Right', 'essential-addons-for-elementor-lite' ),+ ],+ ],+ [+ 'label' => esc_html__( 'Zoom', 'essential-addons-for-elementor-lite' ),+ 'options' => [+ 'zoom-in' => esc_html__( 'Zoom In', 'essential-addons-for-elementor-lite' ),+ 'zoom-out' => esc_html__( 'Zoom Out', 'essential-addons-for-elementor-lite' ),+ ],+ ],+ [+ 'label' => esc_html__( 'Fade', 'essential-addons-for-elementor-lite' ),+ 'options' => [+ 'fade-top' => esc_html__( 'Fade Slide Up', 'essential-addons-for-elementor-lite' ),+ ],+ ],+ [+ 'label' => esc_html__( 'Rotate', 'essential-addons-for-elementor-lite' ),+ 'options' => [+ 'rotate-zoom' => esc_html__( 'Rotate Zoom', 'essential-addons-for-elementor-lite' ),+ ],+ ],+ ],+ 'prefix_class' => 'eael-accordion_animation-',+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_control(+ 'eael_accordion_media_custom_animation_duration',+ [+ 'label' => esc_html__( 'Transition Duration', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SLIDER,+ 'range' => [+ 'px' => [+ 'min' => 0,+ 'max' => 10,+ 'step' => 0.1,+ ],+ ],+ 'default' => [+ 'size' => 0.6,+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );+ $this->add_control( 'eael_adv_accordion_icon_show', [@@ -170,6 +275,9 @@ 'type' => Controls_Manager::SWITCHER, 'default' => 'yes', 'return_value' => 'yes',+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); $this->add_control(@@ -183,6 +291,7 @@ 'return_value' => 'right', 'condition' => [ 'eael_adv_accordion_icon_show' => 'yes',+ 'eael_adv_accordion_type!' => 'accordion_media', ], ] );@@ -199,6 +308,7 @@ ], 'condition' => [ 'eael_adv_accordion_icon_show' => 'yes',+ 'eael_adv_accordion_type!' => 'accordion_media', ], ] );@@ -209,6 +319,9 @@ 'type' => Controls_Manager::NUMBER, 'label_block' => false, 'default' => 300,+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -221,6 +334,9 @@ 'label_block' => false, 'default' => 0, 'min' => 0,+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -231,6 +347,9 @@ 'type' => Controls_Manager::NUMBER, 'label_block' => false, 'default' => 300,+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -241,6 +360,9 @@ 'type' => Controls_Manager::SWITCHER, 'default' => 'no', 'return_value' => 'yes',+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -265,6 +387,9 @@ 'eael_section_adv_accordion_content_settings', [ 'label' => esc_html__('Content Settings', 'essential-addons-for-elementor-lite'),+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -313,8 +438,8 @@ ] ); - $this->start_controls_tab( 'eael_adv_accordion_open_icon_tab', - [ + $this->start_controls_tab( 'eael_adv_accordion_open_icon_tab',+ [ 'label' => esc_html__( 'Opened Tab Icon', 'essential-addons-for-elementor-lite' ), ] );@@ -333,8 +458,8 @@ $this->end_controls_tab(); - $this->start_controls_tab( 'eael_adv_accordion_closed_icon_tab', - [ + $this->start_controls_tab( 'eael_adv_accordion_closed_icon_tab',+ [ 'label' => esc_html__( 'Closed Tab Icon', 'essential-addons-for-elementor-lite' ), ] );@@ -537,7 +662,8 @@ 'fields' => $repeater->get_controls(), 'title_field' => '{{eael_adv_accordion_tab_title}}', 'condition' => [- 'eael_adv_accordion_content_source' => 'custom'+ 'eael_adv_accordion_content_source' => 'custom',+ 'eael_adv_accordion_type!' => 'accordion_media' ] ] );@@ -594,6 +720,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -605,6 +732,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -613,7 +741,7 @@ [ 'name' => 'eael_adv_accordion_border', 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),- 'selector' => '{{WRAPPER}} .eael-adv-accordion',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion, {{WRAPPER}} .eael-accordion_media-wrapper', ] ); $this->add_responsive_control(@@ -624,6 +752,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -631,9 +760,173 @@ Group_Control_Box_Shadow::get_type(), [ 'name' => 'eael_adv_accordion_box_shadow',- 'selector' => '{{WRAPPER}} .eael-adv-accordion',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion, {{WRAPPER}} .eael-accordion_media-wrapper', ] );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_content_width',+ [+ 'label' => esc_html__( 'Content Width', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => [ 'px', '%', 'em', 'rem', 'custom' ],+ 'range' => [+ '%' => [+ 'min' => 0,+ 'max' => 100,+ ],+ ],+ 'default' => [+ 'unit' => '%',+ 'size' => 50,+ ],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists' => 'width: {{SIZE}}{{UNIT}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_content_gap',+ [+ 'label' => esc_html__( 'Content Gap', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => [ 'px', '%', 'em', 'rem', 'custom' ],+ 'range' => [+ 'px' => [+ 'min' => 0,+ 'max' => 1000,+ 'step' => 1,+ ],+ ],+ 'default' => [+ 'unit' => 'px',+ 'size' => 12,+ ],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists' => 'gap: {{SIZE}}{{UNIT}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_control(+ 'eael_adv_accordion_media_more_options',+ [+ 'label' => esc_html__( 'Media Options', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::HEADING,+ 'separator' => 'before',+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_gap',+ [+ 'label' => esc_html__( 'Media Gap', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => [ 'px', '%', 'em', 'rem', 'custom' ],+ 'range' => [+ 'px' => [+ 'min' => 0,+ 'max' => 1000,+ 'step' => 1,+ ],+ ],+ 'default' => [+ 'unit' => 'px',+ 'size' => 30,+ ],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper' => 'gap: {{SIZE}}{{UNIT}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_direction',+ [+ 'label' => esc_html__( 'Media Direction', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::CHOOSE,+ 'options' => [+ 'row' => [+ 'title' => esc_html__( 'Left', 'essential-addons-for-elementor-lite' ),+ 'icon' => 'eicon-align-end-h',+ ],+ 'row-reverse' => [+ 'title' => esc_html__( 'Right', 'essential-addons-for-elementor-lite' ),+ 'icon' => 'eicon-align-start-h',+ ],+ ],+ 'default' => 'row',+ 'toggle' => false,+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper' => 'flex-direction: {{VALUE}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_image_height',+ [+ 'label' => esc_html__( 'Height', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => [ 'vh', 'px', 'rem', 'custom' ],+ 'range' => [+ 'vh' => [+ 'min' => 0,+ 'max' => 100,+ 'step' => 1,+ ],+ 'px' => [+ 'min' => 0,+ 'max' => 1000,+ 'step' => 1,+ ],+ ],+ 'default' => [+ 'unit' => 'vh',+ 'size' => 50,+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-images' => 'height: {{SIZE}}{{UNIT}};',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_image_border_radius',+ [+ 'label' => esc_html__( 'Border Radius', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::DIMENSIONS,+ 'size_units' => [ 'px', '%', 'em', 'rem', 'custom' ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-images,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-image.active,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-image' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ ],+ ]+ );+ $this->end_controls_section(); } @@ -650,9 +943,23 @@ Group_Control_Typography::get_type(), [ 'name' => 'eael_adv_accordion_tab_title_typography',- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .eael-accordion-tab-title',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .eael-accordion-tab-title, + {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-list .eael-accordion_media-content .eael-accordion_media-title', ] );++ $this->add_control(+ 'eael_adv_accordion_tab_icon_style_hading',+ [+ 'label' => esc_html__( 'Icon Style', 'essential-addons-for-elementor-lite' ),+ 'type' => Controls_Manager::HEADING,+ 'separator' => 'before',+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );+ $this->add_responsive_control( 'eael_adv_accordion_tab_icon_size', [@@ -673,6 +980,8 @@ 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .fa-accordion-icon' => 'font-size: {{SIZE}}{{UNIT}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header svg.fa-accordion-icon' => 'height: {{SIZE}}{{UNIT}};width: {{SIZE}}{{UNIT}};line-height: {{SIZE}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-icon i' => 'font-size: {{SIZE}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-icon svg' => 'height: {{SIZE}}{{UNIT}}; width: {{SIZE}}{{UNIT}}; line-height: {{SIZE}}{{UNIT}};', ], ] );@@ -694,7 +1003,8 @@ ], ], 'selectors' => [- '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .fa-accordion-icon' => 'margin-left: {{SIZE}}{{UNIT}};',+ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .fa-accordion-icon,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list' => 'gap: {{SIZE}}{{UNIT}};', ], 'condition' => [ 'eael_adv_accordion_toggle_icon_postion' => 'right',@@ -728,6 +1038,33 @@ ] ); + $this->add_group_control(+ Group_Control_Border::get_type(),+ [+ 'name' => 'eael_adv_accordion_media_tab_border_hover',+ 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),+ 'selector' => '{{WRAPPER}} .eael-accordion_media-lists .eael-accordion_media-icon',+ 'condition'=> [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_responsive_control(+ 'eael_adv_accordion_media_tab_border_radius_hover',+ [+ 'label' => esc_html__('Border Radius', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::DIMENSIONS,+ 'size_units' => ['px', 'rem', '%'],+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-lists .eael-accordion_media-icon' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );+ $this->add_responsive_control( 'eael_adv_accordion_tab_distance', [@@ -737,6 +1074,9 @@ 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list' => 'margin-bottom: {{SIZE}}{{UNIT}};', ],+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -748,6 +1088,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-title' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -759,6 +1100,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-title' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -772,7 +1114,8 @@ [ 'name' => 'eael_adv_accordion_tab_bgtype', 'types' => ['classic', 'gradient'],- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header, + {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-list', ] ); $this->add_control(@@ -783,6 +1126,7 @@ 'default' => '#333', 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .eael-accordion-tab-title' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-content .eael-accordion_media-title' => 'color: {{VALUE}};', ], ] );@@ -796,15 +1140,32 @@ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .fa-accordion-icon' => 'color: {{VALUE}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header .fa-accordion-icon-svg svg' => 'color: {{VALUE}}; fill: {{VALUE}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header svg' => 'fill: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-icon' => 'color: {{VALUE}};', ] ] );++ $this->add_control(+ 'eael_adv_accordion_tab_icon_border_color',+ [+ 'label' => esc_html__('Icon Border Color', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::COLOR,+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-icon' => 'border-color: {{VALUE}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );+ $this->add_group_control( Group_Control_Border::get_type(), [ 'name' => 'eael_adv_accordion_tab_border', 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list', ] ); $this->add_responsive_control(@@ -815,6 +1176,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -833,7 +1195,8 @@ [ 'name' => 'eael_adv_accordion_tab_bgtype_hover', 'types' => ['classic', 'gradient'],- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover, + {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list:not(.active):hover', ] ); $this->add_control(@@ -843,10 +1206,12 @@ 'type' => Controls_Manager::COLOR, 'default' => '#fff', 'selectors' => [- '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover .eael-accordion-tab-title' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover .eael-accordion-tab-title,+ {{WRAPPER}} .eael-accordion_media-list:not(.active):hover .eael-accordion_media-title' => 'color: {{VALUE}};', ], ] );+ $this->add_control( 'eael_adv_accordion_tab_icon_color_hover', [@@ -857,15 +1222,34 @@ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover .fa-accordion-icon' => 'color: {{VALUE}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover .fa-accordion-icon svg' => 'color: {{VALUE}}; fill: {{VALUE}}', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover svg.fa-accordion-icon' => 'fill: {{VALUE}}',+ '{{WRAPPER}} .eael-accordion_media-list:hover .eael-accordion_media-icon i' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-list:hover .eael-accordion_media-icon svg' => 'fill: {{VALUE}}', ] ] );++ $this->add_control(+ 'eael_adv_accordion_tab_icon_border_color_hover',+ [+ 'label' => esc_html__('Icon Border Color', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::COLOR,+ 'default' => '#fff',+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-list:not(.active):hover .eael-accordion_media-icon' => 'border-color: {{VALUE}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );+ $this->add_group_control( Group_Control_Border::get_type(), [ 'name' => 'eael_adv_accordion_tab_border_hover', 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list:hover', ] ); $this->add_responsive_control(@@ -876,6 +1260,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header:hover' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list:hover' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -894,7 +1279,8 @@ [ 'name' => 'eael_adv_accordion_tab_bgtype_active', 'types' => ['classic', 'gradient'],- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active, + {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-list.active', ] ); $this->add_control(@@ -907,8 +1293,26 @@ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active' => 'color: {{VALUE}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active .eael-accordion-tab-title' => 'color: {{VALUE}};', ],+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ],+ ]+ );++ $this->add_control(+ 'eael_accordion_media_tab_text_color_active',+ [+ 'label' => esc_html__('Text Color', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::COLOR,+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list.active .eael-accordion_media-title' => 'color: {{VALUE}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ], ] );+ $this->add_control( 'eael_adv_accordion_tab_icon_color_active', [@@ -919,15 +1323,52 @@ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active .fa-accordion-icon' => 'color: {{VALUE}};', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active .fa-accordion-icon svg' => 'color: {{VALUE}};fill: {{VALUE}}', '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active svg.fa-accordion-icon' => 'fill: {{VALUE}}',+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-icon i' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-icon svg' => 'fill: {{VALUE}}',+ ],+ 'condition' => [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ],+ ]+ );++ $this->add_control(+ 'eael_adv_accordion_tab_icon_color_active_media',+ [+ 'label' => esc_html__('Icon Color', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::COLOR,+ 'default' => '#333',+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-icon i' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-icon svg' => 'fill: {{VALUE}}',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media',+ ],+ ]+ );++ $this->add_control(+ 'eael_adv_accordion_tab_icon_border_color_active',+ [+ 'label' => esc_html__('Icon Border Color', 'essential-addons-for-elementor-lite'),+ 'type' => Controls_Manager::COLOR,+ 'selectors' => [+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-icon' => 'border-color: {{VALUE}};',+ ],+ 'condition' => [+ 'eael_adv_accordion_type' => 'accordion_media', ], ] );+ $this->add_group_control( Group_Control_Border::get_type(), [ 'name' => 'eael_adv_accordion_tab_border_active', 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active,+ {{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list.active', ] ); $this->add_responsive_control(@@ -938,6 +1379,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-header.active' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-wrapper .eael-accordion_media-lists .eael-accordion_media-list.active' => 'border-radius: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -962,6 +1404,9 @@ 'name' => 'adv_accordion_content_bgtype', 'types' => ['classic', 'gradient'], 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content',+ 'condition'=> [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -973,6 +1418,7 @@ 'default' => '#333', 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content' => 'color: {{VALUE}};',+ '{{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-content .eael-accordion_media-description' => 'color: {{VALUE}};', ], ] );@@ -980,7 +1426,8 @@ Group_Control_Typography::get_type(), [ 'name' => 'eael_adv_accordion_content_typography',- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content,+ {{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-content .eael-accordion_media-description', ] ); $this->add_responsive_control(@@ -991,6 +1438,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-content .eael-accordion_media-description' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -1002,6 +1450,7 @@ 'size_units' => ['px', 'em', '%'], 'selectors' => [ '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ '{{WRAPPER}} .eael-accordion_media-list.active .eael-accordion_media-content .eael-accordion_media-description' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};', ], ] );@@ -1010,14 +1459,16 @@ [ 'name' => 'eael_adv_accordion_content_border', 'label' => esc_html__('Border', 'essential-addons-for-elementor-lite'),- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content,+ {{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-content .eael-accordion_media-description', ] ); $this->add_group_control( Group_Control_Box_Shadow::get_type(), [ 'name' => 'eael_adv_accordion_content_shadow',- 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content',+ 'selector' => '{{WRAPPER}} .eael-adv-accordion .eael-accordion-list .eael-accordion-content,+ {{WRAPPER}} .eael-accordion_media-list .eael-accordion_media-content .eael-accordion_media-description', 'separator' => 'before', ] );@@ -1031,6 +1482,9 @@ [ 'label' => esc_html__('Toggle Caret Style', 'essential-addons-for-elementor-lite'), 'tab' => Controls_Manager::TAB_STYLE,+ 'condition'=> [+ 'eael_adv_accordion_type!' => 'accordion_media',+ ], ] ); @@ -1253,145 +1707,150 @@ $this->add_render_attribute('eael-adv-accordion', 'data-scroll-on-click', esc_attr( $settings['eael_adv_accordion_scroll_onclick'] )); $this->add_render_attribute('eael-adv-accordion', 'data-scroll-speed', esc_attr( $settings['eael_adv_accordion_scroll_speed'] )); - if( !empty($settings['eael_adv_accordion_custom_id_offset']) ){- $this->add_render_attribute('eael-adv-accordion', 'data-custom-id-offset', esc_attr( $settings['eael_adv_accordion_custom_id_offset'] ) );- }-?>- <div <?php $this->print_render_attribute_string('eael-adv-accordion'); ?> <?php echo 'data-accordion-id="' . esc_attr($this->get_id()) . '"'; ?> <?php echo !empty($settings['eael_adv_accordion_type']) ? 'data-accordion-type="' . esc_attr($settings['eael_adv_accordion_type']) . '"' : 'accordion'; ?> <?php echo !empty($settings['eael_adv_accordion_toggle_speed']) ? 'data-toogle-speed="' . esc_attr($settings['eael_adv_accordion_toggle_speed']) . '"' : '300'; ?>>- <?php - if( 'dynamic' === $settings['eael_adv_accordion_content_source'] ) {- $this->render_dynamic_content();+ // Advanced Accordion Media Type+ if ( 'accordion_media' === $settings['eael_adv_accordion_type'] ) {+ do_action( 'eael_adv_accordion_media_type', $settings, $this ); } else {- foreach ($settings['eael_adv_accordion_tab'] as $index => $tab) {- if( empty( $tab['eael_adv_accordion_tab_title'] ) || ( 'content' == $tab['eael_adv_accordion_text_type'] && empty( $tab['eael_adv_accordion_tab_content'] ) ) ){- continue;- }-- $tab_count = $index + 1;- $tab_title_setting_key = $this->get_repeater_setting_key('eael_adv_accordion_tab_title', 'eael_adv_accordion_tab', $index);- $tab_content_setting_key = $this->get_repeater_setting_key('eael_adv_accordion_tab_content', 'eael_adv_accordion_tab', $index);-- $tab_title_class = ['elementor-tab-title', 'eael-accordion-header'];- $tab_content_class = ['eael-accordion-content', 'clearfix'];-- $tab_icon_migrated = isset($tab['__fa4_migrated']['eael_adv_accordion_tab_title_icon_new']);- $tab_icon_is_new = empty($tab['eael_adv_accordion_tab_title_icon']);-- if ($tab['eael_adv_accordion_tab_default_active'] == 'yes') {- $tab_title_class[] = 'active-default';- $tab_content_class[] = 'active-default';- }-- $tab_id = $tab['eael_adv_accordion_tab_id'] ? $tab['eael_adv_accordion_tab_id'] : Helper::str_to_css_id( $tab['eael_adv_accordion_tab_title'] );- $tab_id = $tab_id === 'safari' ? 'eael-safari' : $tab_id;-- $this->add_render_attribute($tab_title_setting_key, [- 'id' => $tab_id,- 'class' => $tab_title_class,- 'tabindex' => 0,- 'data-tab' => $tab_count,- 'aria-controls' => 'elementor-tab-content-' . $id_int . $tab_count,- ]);-- $this->add_render_attribute($tab_content_setting_key, [- 'id' => 'elementor-tab-content-' . $id_int . $tab_count,- 'class' => $tab_content_class,- 'data-tab' => $tab_count,- // 'role' => 'tabpanel',- 'aria-labelledby' => $tab_id,- ]);-- echo '<div class="eael-accordion-list">- <div '; $this->print_render_attribute_string($tab_title_setting_key); echo '>';- // toggle icon if user set position to left- if ($settings['eael_adv_accordion_icon_show'] === 'yes' && $settings['eael_adv_accordion_toggle_icon_postion'] === '') {- $this->print_toggle_icon($settings);- }- // tab title- if ($settings['eael_adv_accordion_toggle_icon_postion'] === '') {- $title_tag = Helper::eael_validate_html_tag( $settings['eael_adv_accordion_title_tag'] );- $title = '<' . $title_tag . ' class="eael-accordion-tab-title">' . $tab['eael_adv_accordion_tab_title'] . '</' . $title_tag . '>';- echo wp_kses( $title, Helper::eael_allowed_tags() );- }- // tab icon- if ($tab['eael_adv_accordion_tab_icon_show'] === 'yes') {- if ($tab_icon_is_new || $tab_icon_migrated) {- if ( 'svg' === $tab['eael_adv_accordion_tab_title_icon_new']['library'] ) {- echo '<span class="fa-accordion-icon fa-accordion-icon-svg eaa-svg eael-advanced-accordion-icon-closed">';- Icons_Manager::render_icon( $tab['eael_adv_accordion_tab_title_icon_new'] );- echo '</span>';- }else{- echo '<span class="eael-advanced-accordion-icon-closed">';- Icons_Manager::render_icon( $tab['eael_adv_accordion_tab_title_icon_new'], [ 'aria-hidden' => 'true', 'class' => "fa-accordion-icon" ] );- echo '</span>';- }-- if ( 'svg' === $tab['eael_adv_accordion_tab_title_icon_new_opened']['library'] ) {- echo '<span class="fa-accordion-icon fa-accordion-icon-svg eaa-svg eael-advanced-accordion-icon-opened">';- Icons_Manager::render_icon( $tab['eael_adv_accordion_tab_title_icon_new_opened'] );- echo '</span>';- }else{- echo '<span class="eael-advanced-accordion-icon-opened">';- Icons_Manager::render_icon( $tab['eael_adv_accordion_tab_title_icon_new_opened'], [ 'aria-hidden' => 'true', 'class' => "fa-accordion-icon" ] );- echo '</span>';- }-- } else {- echo '<span class="eael-advanced-accordion-icon-closed"><i class="' . ( ! empty( $tab['eael_adv_accordion_tab_title_icon'] ) ? esc_attr( $tab['eael_adv_accordion_tab_title_icon'] ) : '' ) . ' fa-accordion-icon"></i></span>';- echo '<span class="eael-advanced-accordion-icon-opened"><i class="' . ( ! empty( $tab['eael_adv_accordion_tab_title_icon_opened'] ) ? esc_attr( $tab['eael_adv_accordion_tab_title_icon_opened'] ) : ' fa fa-minus ' ) . ' fa-accordion-icon"></i></span>';- }- }- // tab title- if ($settings['eael_adv_accordion_toggle_icon_postion'] === 'right' || $settings['eael_adv_accordion_toggle_icon_postion'] === null) {- $title_tag = Helper::eael_validate_html_tag( $settings['eael_adv_accordion_title_tag'] );- $title = '<' . $title_tag . ' class="eael-accordion-tab-title">' . $tab['eael_adv_accordion_tab_title'] . '</' . $title_tag . '>';- echo wp_kses( $title, Helper::eael_allowed_tags() );- }- // toggle icon- if ($settings['eael_adv_accordion_icon_show'] === 'yes' && $settings['eael_adv_accordion_toggle_icon_postion'] === 'right') {- $this->print_toggle_icon( $settings );- }- echo '</div>';-- echo '<div '; $this->print_render_attribute_string($tab_content_setting_key); echo '>';- if ('content' == $tab['eael_adv_accordion_text_type']) {- // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped- echo $this->parse_text_editor( $tab['eael_adv_accordion_tab_content'] );- } elseif ('template' == $tab['eael_adv_accordion_text_type']) {- if ( ! empty( $tab['eael_primary_templates'] ) && Helper::is_elementor_publish_template( $tab['eael_primary_templates'] ) ) {- // WPML Compatibility- if ( ! is_array( $tab['eael_primary_templates'] ) ) {- $tab['eael_primary_templates'] = apply_filters( 'wpml_object_id', $tab['eael_primary_templates'], 'wp_template', true );+ if( !empty($settings['eael_adv_accordion_custom_id_offset']) ){+ $this->add_render_attribute('eael-adv-accordion', 'data-custom-id-offset', esc_attr( $settings['eael_adv_accordion_custom_id_offset'] ) ); }-- Helper::eael_onpage_edit_template_markup( get_the_ID(), $tab['eael_primary_templates'] );- // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped- echo Plugin::$instance->frontend->get_builder_content( $tab['eael_primary_templates'], true ); - }- }- echo '</div>- </div>';- }- echo '</div>';- - // FAQ Schema- if ( !empty( $settings['eael_adv_accordion_faq_schema_show'] ) && 'yes' === $settings['eael_adv_accordion_faq_schema_show'] ) {- foreach ( $settings['eael_adv_accordion_tab'] as $index => $tab ) {- $faq_schema_text = ! empty( $tab['eael_adv_accordion_tab_faq_schema_text'] ) ? $tab['eael_adv_accordion_tab_faq_schema_text'] : '';
Let me analyze the provided code diff for security vulnerabilities:
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting - XSS) - CWE-79 - includes/Elements/Adv_Accordion.php Line 167
[Old Code]
```php
$eael_accordion_layout = apply_filters(
'eael_adv_accordion_styles',
[
'styles' => [
'accordion' => [
'title' => esc_html__( 'Accordion', 'essential-addons-for-elementor-lite' ),
'image' => $image_path . 'default.png'
```
[Fixed Code]
```php
$image_path = EAEL_PLUGIN_URL . 'assets/admin/images/layout-previews/accordion-';
$eael_accordion_layout = apply_filters(
'eael_adv_accordion_styles',
[
'styles' => [
'accordion' => [
'title' => esc_html__( 'Accordion', 'essential-addons-for-elementor-lite' ),
'image' => $image_path . 'default.png'
```
Explanation: The fixed code properly defines `$image_path` using `EAEL_PLUGIN_URL` constant before using it. However, the image paths themselves are concatenated strings without explicit escaping. The vulnerability concern is mitigated by using a constant for the base path, but the concatenated image filenames ('default.png', 'toggle.png', 'media.png') are hardcoded literals, making them safe from injection. The primary fix ensures proper path initialization.
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting - XSS) - CWE-79 - includes/Elements/Adv_Accordion.php Line 172
[Old Code]
```php
'label' => sprintf( '<a target="_blank" href="https://wpdeveloper.com/upgrade/ea-pro">%s</a>', esc_html__('Only Available in Pro Version!', 'essential-addons-for-elementor-lite')),
```
[Fixed Code]
```php
'label' => sprintf( '<a target="_blank" href="https://wpdeveloper.com/upgrade/ea-pro">%s</a>', esc_html__('Only Available in Pro Version!', 'essential-addons-for-elementor-lite')),
```
Explanation: The HTML markup in the sprintf statement is not escaped. While the string content is properly escaped with `esc_html__()`, the HTML tags themselves are unescaped. This could be problematic if the sprintf is used in a context expecting plain text. However, since this is explicitly a `HEADING` control type in Elementor, it may be intentionally allowing HTML. The code doesn't change in security posture between old and new versions—both are equally vulnerable or equally safe depending on the control context.
**Vulnerability 3:**
Vulnerability Existed: not sure
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting - XSS) - CWE-79 - includes/Elements/Adv_Accordion.php Lines 1759-1760
[Old Code]
```php
echo '<div class="eael-accordion-list">
<div '; $this->print_render_attribute_string($tab_title_setting_key); echo '>';
```
[Fixed Code]
```php
} else {
if( !empty($settings['eael_adv_accordion_custom_id_offset']) ){
$this->add_render_attribute('eael-adv-accordion', 'data-custom-id-offset', esc_attr( $settings['eael_adv_accordion_custom_id_offset'] ) );
```
Explanation: The diff shows the old rendering code (lines 1759+) being replaced with a conditional check for `accordion_media` type. The old code called `do_action()` hooks which is a safer pattern than direct HTML output. The new code delegates rendering to an action hook `eael_adv_accordion_media_type`, which is a more secure approach as it defers rendering to other components. The change improves security by using hooks rather than inline rendering, but the vulnerability depends on how the hooked function implements the rendering.
All three findings relate to output escaping and HTML rendering contexts. The main security improvements in this patch involve using action hooks for media type rendering and properly initializing image paths before use.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Event_Calendar.php 2026-01-16 00:20:08.728177548 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Event_Calendar.php 2026-01-16 00:21:01.211471308 +0000@@ -3989,7 +3989,8 @@ $settings_eael_event_global_popup_ribbon_color = $this->fetch_color_or_global_color($settings, 'eael_event_global_popup_ribbon_color'); if( !empty( $settings["eael_old_events_hide"] ) && 'yes' === $settings["eael_old_events_hide"] ){- $is_old_event = $this->is_old_event($ev_start_date);+ $is_old_event = $this->is_old_event($ev_start_date, '', 'yes' === $all_day);+ if($is_old_event) { continue; }@@ -3997,7 +3998,7 @@ if( $settings['eael_old_events_hide'] === 'start' ){ $default_date = $settings['eael_event_default_date_type'] === 'custom' ? $settings['eael_event_calendar_default_date'] : gmdate( 'Y-m-d' );- $should_show = $this->is_old_event( $ev_start_date, $default_date );+ $should_show = $this->is_old_event( $ev_start_date, $default_date, 'yes' === $all_day ); if ( $should_show ) { continue;@@ -4137,17 +4138,28 @@ return $calendar_data; } - public function is_old_event( $start_date, $date_to_comp = '' ) {- $date_to_comp = $date_to_comp === '' ? current_time( 'Y-m-d' ) : $date_to_comp;- $date_to_comp = strtotime( $date_to_comp . wp_timezone_string() );- $start_date_timestamp = strtotime( $start_date );-- if ( $start_date_timestamp < $date_to_comp ) {- return true;- }+ public function is_old_event( $start_date, $date_to_comp = '', $is_all_day = false ) {++ // Use WP timezone correctly+ $tz = wp_timezone();++ // Default comparison date = today (site timezone)+ if ( $date_to_comp === '' ) {+ $date_to_comp = current_time( 'Y-m-d' );+ }++ // ✅ All-day event: compare dates only+ if ( $is_all_day ) {+ return strtotime( $start_date ) < strtotime( $date_to_comp );+ }++ // ✅ Timed event: compare full datetime with timezone+ $start = new \DateTime( $start_date, $tz );+ $now = new \DateTime( 'now', $tz );++ return $start < $now;+ } - return false;- } public function fetch_color_or_global_color($settings, $control_name=''){ if( !isset($settings[$control_name])) {
## Security Analysis Results
### Vulnerability 1: Improper Timezone Handling
**Vulnerability Existed:** yes
**CWE-116 (Improper Encoding or Escaping of Output) / CWE-613 (Insufficient Session Expiration) - Timezone Logic Error** - includes/Elements/Event_Calendar.php - Lines 4140-4150 (old), 4141-4161 (new)
**Old Code:**
```php
public function is_old_event( $start_date, $date_to_comp = '' ) {
$date_to_comp = $date_to_comp === '' ? current_time( 'Y-m-d' ) : $date_to_comp;
$date_to_comp = strtotime( $date_to_comp . wp_timezone_string() );
$start_date_timestamp = strtotime( $start_date );
if ( $start_date_timestamp < $date_to_comp ) {
return true;
}
return false;
}
```
**Fixed Code:**
```php
public function is_old_event( $start_date, $date_to_comp = '', $is_all_day = false ) {
// Use WP timezone correctly
$tz = wp_timezone();
// Default comparison date = today (site timezone)
if ( $date_to_comp === '' ) {
$date_to_comp = current_time( 'Y-m-d' );
}
// ✅ All-day event: compare dates only
if ( $is_all_day ) {
return strtotime( $start_date ) < strtotime( $date_to_comp );
}
// ✅ Timed event: compare full datetime with timezone
$start = new \DateTime( $start_date, $tz );
$now = new \DateTime( 'now', $tz );
return $start < $now;
}
```
**Explanation:**
The old code had a critical timezone handling vulnerability. The line `strtotime( $date_to_comp . wp_timezone_string() )` was incorrectly concatenating the timezone string directly to the date string, which `strtotime()` cannot properly parse. This caused timestamp comparisons to be performed incorrectly, potentially comparing dates in different timezones or with invalid timestamp values.
The fix properly addresses this by:
1. Using `wp_timezone()` to get a proper DateTimeZone object
2. Creating DateTime objects with the correct timezone context
3. Adding an `$is_all_day` parameter to differentiate between all-day events and timed events
4. For timed events, using DateTime objects with proper timezone handling ensures accurate UTC conversion and comparison
5. For all-day events, comparing dates only without timezone complications
This prevents logic errors where events could be incorrectly marked as "old" or "new" due to timezone misalignment, which could affect event visibility and functionality.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Product_Grid.php 2026-01-16 00:20:08.736178051 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Product_Grid.php 2026-01-16 00:21:01.499489370 +0000@@ -2,6 +2,8 @@ namespace Essential_Addons_Elementor\Elements; +use Elementor\Plugin;+ // If this file is called directly, abort. if (!defined('ABSPATH')) { exit;@@ -13,7 +15,6 @@ use Elementor\Group_Control_Box_Shadow; use Elementor\Group_Control_Image_Size; use Elementor\Group_Control_Typography;-use Elementor\Plugin; use Elementor\Widget_Base; use Essential_Addons_Elementor\Classes\Helper as HelperClass; use Essential_Addons_Elementor\Template\Content\Product_Grid as Product_Grid_Trait;@@ -418,7 +419,7 @@ 'eael_show_product_sale_badge', [ 'label' => esc_html__( 'Show Badge ?', 'essential-addons-for-elementor-lite' ),- 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'type' => Controls_Manager::SWITCHER, 'label_on' => esc_html__( 'Show', 'essential-addons-for-elementor-lite' ), 'label_off' => esc_html__( 'Hide', 'essential-addons-for-elementor-lite' ), 'return_value' => 'yes',@@ -430,7 +431,7 @@ 'eael_wc_loop_hooks', [ 'label' => esc_html__( 'WooCommerce Loop Hooks', 'essential-addons-for-elementor-lite' ),- 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'type' => Controls_Manager::SWITCHER, 'label_on' => esc_html__( 'ON', 'essential-addons-for-elementor-lite' ), 'label_off' => esc_html__( 'OFF', 'essential-addons-for-elementor-lite' ), 'return_value' => 'yes',@@ -1241,7 +1242,7 @@ 'eael_product_grid_content_alignment', [ 'label' => __('Alignment', 'essential-addons-for-elementor-lite'),- 'type' => \Elementor\Controls_Manager::CHOOSE,+ 'type' => Controls_Manager::CHOOSE, 'options' => [ 'left' => [ 'title' => __('Left', 'essential-addons-for-elementor-lite'),@@ -1450,7 +1451,7 @@ ); $this->add_group_control(- \Elementor\Group_Control_Box_Shadow::get_type(),+ Group_Control_Box_Shadow::get_type(), [ 'name' => 'eael_peoduct_grid_shadow', 'label' => __('Box Shadow', 'essential-addons-for-elementor-lite'),@@ -2748,6 +2749,9 @@ [ 'label' => __('Previous Label', 'essential-addons-for-elementor-lite'), 'default' => __('←', 'essential-addons-for-elementor-lite'),+ 'ai' => [+ 'active' => false,+ ], 'condition' => [ 'show_pagination' => 'true', ]@@ -2759,6 +2763,9 @@ [ 'label' => __('Next Label', 'essential-addons-for-elementor-lite'), 'default' => __('→', 'essential-addons-for-elementor-lite'),+ 'ai' => [+ 'active' => false,+ ], 'condition' => [ 'show_pagination' => 'true', ]@@ -3632,8 +3639,9 @@ if ( $settings['post_type'] === 'source_dynamic' && is_archive() || ! empty( $_REQUEST['post_type'] ) ) { $settings['posts_per_page'] = $settings['eael_product_grid_products_count'] ?: 4; $settings['offset'] = $settings['product_offset'];- $args = HelperClass::get_query_args( $settings );- $args = HelperClass::get_dynamic_args( $settings, $args );+ $wp_args = HelperClass::get_query_args( $settings );+ $wp_args = HelperClass::get_dynamic_args( $settings, $wp_args );+ $args = $this->convert_wp_query_args_to_wc_product_query( $wp_args ); } else { $args = $this->build_product_query( $settings ); }@@ -3648,21 +3656,25 @@ $no_products_found = empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ? 1 : 0; if ( ! empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ){- $args['post__in'] = $user_ordered_products;+ $args['include'] = $user_ordered_products; } if ( ! empty( $user_ordered_products ) && 'not-purchased' === $product_purchase_type ){- $args['post__not_in'] = $user_ordered_products;+ if ( ! empty( $args['exclude'] ) ) {+ $args['exclude'] = array_merge( $args['exclude'], $user_ordered_products );+ } else {+ $args['exclude'] = $user_ordered_products;+ } } } } if ( ! empty( $settings['eael_product_not_in'] ) ) {- if ( ! empty( $args['post__not_in'] ) ) {- $post_not_in = array_merge( $args['post__not_in'], $settings['eael_product_not_in'] );- $args['post__not_in'] = $post_not_in;+ if ( ! empty( $args['exclude'] ) ) {+ $exclude = array_merge( $args['exclude'], $settings['eael_product_not_in'] );+ $args['exclude'] = $exclude; } else {- $args['post__not_in'] = $settings['eael_product_not_in'];+ $args['exclude'] = $settings['eael_product_not_in']; } } @@ -3724,13 +3736,33 @@ global $wp_query; $query = $wp_query; $args = $wp_query->query_vars;+ $products = null;+ $found_posts = $query->found_posts; } else {- $query = new \WP_Query( $args );+ $wc_query = new \WC_Product_Query( $args );+ $products = $wc_query->get_products();++ // WC_Product_Query with paginate=true returns an object with products, total, and max_num_pages+ if ( is_object( $products ) && isset( $products->products ) ) {+ $found_posts = $products->total;+ $product_objects = $products->products;+ } else {+ // Fallback if paginate=false+ $found_posts = count( $products );+ $product_objects = $products;+ }++ // Create a mock query object for compatibility+ $query = (object) [+ 'posts' => $product_objects,+ 'found_posts' => $found_posts,+ 'max_num_pages' => isset( $products->max_num_pages ) ? $products->max_num_pages : 1,+ ]; } - if ( $query->have_posts() && ! $no_products_found ) {- $found_posts = $query->found_posts - $post_offset;- $max_page = ceil( $found_posts / absint( $args['posts_per_page'] ) );+ if ( ( $products !== null ? ! empty( $product_objects ) : $query->have_posts() ) && ! $no_products_found ) {+ $found_posts = $found_posts - $post_offset;+ $max_page = ceil( $found_posts / absint( $args['limit'] ?? $args['posts_per_page'] ?? 4 ) ); $args['max_page'] = $max_page; $args['total_post'] = $found_posts; @@ -3745,9 +3777,20 @@ $this->add_render_attribute( 'eael-post-appender', 'data-layout-mode' , esc_attr( $settings['eael_product_grid_layout'] ) ); echo '<ul '; $this->print_render_attribute_string( 'eael-post-appender' ); echo '>'; - while ( $query->have_posts() ) {- $query->the_post();- include( realpath( $template ) );+ if ( $products !== null ) {+ // Handle WC_Product_Query results+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post );+ include( realpath( $template ) );+ }+ } else {+ // Handle WP_Query results (archive case)+ while ( $query->have_posts() ) {+ $query->the_post();+ include( realpath( $template ) );+ } } wp_reset_postdata(); @@ -3775,7 +3818,7 @@ echo "</div>"; } - if ( $found_posts > $args['posts_per_page'] && 'source_archive' !== $settings['post_type'] ) {+ if ( $found_posts > ( $args['limit'] ?? $args['posts_per_page'] ?? 4 ) && 'source_archive' !== $settings['post_type'] ) { $this->print_load_more_button( $settings, $args, $dir_name ); } @@ -3820,47 +3863,37 @@ */ public function build_product_query( $settings ){ $args = [- 'post_type' => 'product',- 'post_status' => ! empty( $settings['eael_product_grid_products_status'] ) ? $settings['eael_product_grid_products_status'] : [ 'publish', 'pending', 'future' ],- 'posts_per_page' => $settings['eael_product_grid_products_count'] ?: 4,+ 'status' => ! empty( $settings['eael_product_grid_products_status'] ) ? $settings['eael_product_grid_products_status'] : [ 'publish', 'pending', 'future' ],+ 'limit' => $settings['eael_product_grid_products_count'] ?: 4, 'order' => (isset($settings['order']) ? $settings['order'] : 'desc'), 'offset' => $settings['product_offset'],- 'tax_query' => [- 'relation' => 'AND',- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => ['exclude-from-search', 'exclude-from-catalog'],- 'operator' => 'NOT IN',- ],- ],+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible', ]; if ( is_singular() ) {- $args['post__not_in'] = [ get_the_ID() ];+ $args['exclude'] = [ get_the_ID() ]; } // price & sku filter if ($settings['orderby'] == '_price') {- $args['orderby'] = 'meta_value_num';- $args['meta_key'] = '_price';+ $args['orderby'] = 'price'; } else if ($settings['orderby'] == '_sku') {- $args['orderby'] = 'meta_value meta_value_num';- $args['meta_key'] = '_sku';+ $args['orderby'] = 'sku'; } else { $args['orderby'] = (isset($settings['orderby']) ? $settings['orderby'] : 'date'); } if ( ! empty( $settings['eael_product_grid_categories'] ) ) {- $args['tax_query'][] = [- 'taxonomy' => 'product_cat',- 'field' => 'slug',- 'terms' => $settings['eael_product_grid_categories'],- 'operator' => 'IN',- ];+ $args['category'] = $settings['eael_product_grid_categories']; } if ( ! empty( $settings['eael_product_cat_not_in'] ) ) {+ // WC_Product_Query doesn't have direct category exclusion, use tax_query for complex cases+ if ( ! isset( $args['tax_query'] ) ) {+ $args['tax_query'] = ['relation' => 'AND'];+ } $args['tax_query'][] = [ 'taxonomy' => 'product_cat', 'field' => 'slug',@@ -3870,21 +3903,11 @@ } if ( ! empty( $settings['eael_product_grid_tags'] ) ) {- $args['tax_query'][] = [- 'taxonomy' => 'product_tag',- 'field' => 'slug',- 'terms' => $settings['eael_product_grid_tags'],- 'operator' => 'IN',- ];+ $args['tag'] = $settings['eael_product_grid_tags']; } - $args['meta_query'] = ['relation' => 'AND'];- if ( get_option('woocommerce_hide_out_of_stock_items') == 'yes' || 'yes' !== $settings['eael_product_show_stockout'] ) {- $args['meta_query'][] = [- 'key' => '_stock_status',- 'value' => 'instock'- ];+ $args['stock_status'] = 'instock'; } // Handle on sale products exclusion@@ -3898,74 +3921,137 @@ } if( function_exists('whols_lite') ){+ // Apply WooCommerce meta query filters if needed+ if ( ! isset( $args['meta_query'] ) ) {+ $args['meta_query'] = ['relation' => 'AND'];+ } $args['meta_query'] = array_filter( apply_filters( 'woocommerce_product_query_meta_query', $args['meta_query'], new \WC_Query() ) ); } if ($settings['eael_product_grid_product_filter'] == 'featured-products') {- $args['tax_query'] = [- 'relation' => 'AND',- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => 'featured',- ],- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => ['exclude-from-search', 'exclude-from-catalog'],- 'operator' => 'NOT IN',- ],- ];-+ $args['featured'] = true;+ // Keep categories if specified if ($settings['eael_product_grid_categories']) {- $args['tax_query'][] = [- 'taxonomy' => 'product_cat',- 'field' => 'slug',- 'terms' => $settings['eael_product_grid_categories'],- ];+ $args['category'] = $settings['eael_product_grid_categories']; } } else if ($settings['eael_product_grid_product_filter'] == 'best-selling-products') {- $args['meta_key'] = 'total_sales';- $args['orderby'] = 'meta_value_num';+ $args['orderby'] = 'total_sales'; $args['order'] = 'DESC'; } else if ($settings['eael_product_grid_product_filter'] == 'sale-products') {- $args['post__in'] = array_merge( array( 0 ), wc_get_product_ids_on_sale() );+ $sale_product_ids = wc_get_product_ids_on_sale();+ if ( ! empty( $sale_product_ids ) ) {+ $args['include'] = $sale_product_ids;+ } else {+ $args['include'] = [0]; // No products found+ } } else if ($settings['eael_product_grid_product_filter'] == 'top-products') {- $args['meta_key'] = '_wc_average_rating';- $args['orderby'] = 'meta_value_num';+ $args['orderby'] = 'average_rating'; $args['order'] = 'DESC'; } else if ( $settings['eael_product_grid_product_filter'] == 'related-products' ) { $current_product_id = get_the_ID();- $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', array( 'fields' => 'ids' ) );- $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', array( 'fields' => 'names' ) );- $args['tax_query'] = array(+ $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', array( 'fields' => 'slug' ) );+ $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', array( 'fields' => 'slug' ) );++ // For related products, we need to use tax_query as WC_Product_Query doesn't have direct related product support+ if ( ! isset( $args['tax_query'] ) ) {+ $args['tax_query'] = ['relation' => 'AND'];+ }+ $args['tax_query'][] = [ 'relation' => 'OR',- array(+ [ 'taxonomy' => 'product_cat',- 'field' => 'term_id',+ 'field' => 'slug', 'terms' => $product_categories, 'operator' => 'IN',- ),- array(+ ],+ [ 'taxonomy' => 'product_tag',- 'field' => 'name',+ 'field' => 'slug', 'terms' => $product_tags, 'operator' => 'IN',- ),- );-+ ],+ ]; } else if( $settings['eael_product_grid_product_filter'] == 'manual' ){- $args['post__in'] = $settings['eael_product_grid_products_in'] ? $settings['eael_product_grid_products_in'] : [ 0 ];+ $args['include'] = $settings['eael_product_grid_products_in'] ? $settings['eael_product_grid_products_in'] : [ 0 ]; } return $args; } + /**+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args WP_Query style arguments+ * @return array WC_Product_Query compatible arguments+ */+ public function convert_wp_query_args_to_wc_product_query( $wp_args ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ ];++ // Map WP_Query args to WC_Product_Query args+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $wp_args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $wp_args[ $wp_key ];+ }+ }++ // Handle other common args+ if ( isset( $wp_args['orderby'] ) ) {+ $wc_args['orderby'] = $wp_args['orderby'];+ }+ if ( isset( $wp_args['order'] ) ) {+ $wc_args['order'] = $wp_args['order'];+ }+ if ( isset( $wp_args['offset'] ) ) {+ $wc_args['offset'] = $wp_args['offset'];+ }+ if ( isset( $wp_args['s'] ) ) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Handle meta_query and tax_query+ if ( isset( $wp_args['meta_query'] ) ) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if ( isset( $wp_args['tax_query'] ) ) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key and meta_value+ if ( isset( $wp_args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = ['relation' => 'AND'];+ }+ $meta_query = [+ 'key' => $wp_args['meta_key'],+ ];+ if ( isset( $wp_args['meta_value'] ) ) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if ( isset( $wp_args['meta_compare'] ) ) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ return $wc_args;+ }+ protected function eael_get_product_statuses() { return apply_filters( 'eael/woo-product-grid/product-statuses', [ 'publish' => esc_html__( 'Publish', 'essential-addons-for-elementor-lite' ),
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: not sure
Path Traversal / Local File Inclusion - CWE-22 - includes/Elements/Product_Grid.php line 3790
Old Code:
```php
include( realpath( $template ) );
```
Fixed Code:
```php
include( realpath( $template ) );
```
Explanation:
The `include()` statement with `realpath()` is present in both old and new code. While `realpath()` helps prevent directory traversal by resolving relative paths, the actual vulnerability depends on how `$template` is controlled. If `$template` is user-controlled or derived from untrusted sources without proper validation, this could be vulnerable to local file inclusion. The diff doesn't show changes to how `$template` is determined, so I cannot confirm if a vulnerability existed or was fixed here. The use of `realpath()` is a good defensive practice, but proper input validation of `$template` before use is critical.
---
Vulnerability Existed: not sure
SQL Injection - CWE-89 - includes/Elements/Product_Grid.php lines 3639-3642
Old Code:
```php
$args = HelperClass::get_query_args( $settings );
$args = HelperClass::get_dynamic_args( $settings, $args );
```
Fixed Code:
```php
$wp_args = HelperClass::get_query_args( $settings );
$wp_args = HelperClass::get_dynamic_args( $settings, $wp_args );
$args = $this->convert_wp_query_args_to_wc_product_query( $wp_args );
```
Explanation:
The diff shows a refactoring from `WP_Query` to `WC_Product_Query`. The change introduces conversion through `convert_wp_query_args_to_wc_product_query()`. Without reviewing the implementation of `HelperClass::get_query_args()`, `HelperClass::get_dynamic_args()`, and how `$settings` are validated/sanitized, I cannot definitively determine if SQL injection vulnerabilities existed. The shift to WooCommerce's `WC_Product_Query` API (which uses prepared statements) is generally more secure than raw `WP_Query` usage, but depends on proper parameter handling.
---
Vulnerability Existed: no
Hardcoded Logic - includes/Elements/Product_Grid.php lines 3640-3641
Old Code:
```php
'ai' => [
'active' => false,
],
```
Fixed Code:
```php
'ai' => [
'active' => false,
],
```
Explanation:
Adding `'ai' => ['active' => false]` to control fields is a configuration change, not a security vulnerability. This disables AI features for specific fields, which is a legitimate configuration option.
---
Vulnerability Existed: no
No Direct Security Vulnerability - includes/Elements/Product_Grid.php (namespace and use statement reorganization)
Old Code:
```php
use Elementor\Plugin;
```
Fixed Code:
```php
use Elementor\Plugin;
```
Explanation:
Moving the `use Elementor\Plugin;` statement to the top of the file (after the namespace declaration) is a code style/organization improvement with no security implications. This follows PSR-12 coding standards.
---
Vulnerability Existed: no
No Direct Security Vulnerability - includes/Elements/Product_Grid.php (multiple locations)
Old Code:
```php
'type' => \Elementor\Controls_Manager::SWITCHER,
```
Fixed Code:
```php
'type' => Controls_Manager::SWITCHER,
```
Explanation:
Removing the fully qualified namespace prefix `\Elementor\` in favor of the imported `Controls_Manager` class is a code style improvement. Since `Controls_Manager` is imported via `use` statement at the top, both approaches are functionally equivalent with no security impact.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Woo_Product_Carousel.php 2026-01-16 00:20:08.736178051 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Woo_Product_Carousel.php 2026-01-16 00:21:01.819509438 +0000@@ -3250,13 +3250,13 @@ if ( in_array( $product_purchase_type, ['purchased', 'not-purchased'] ) ) { $user_ordered_products = HelperClass::eael_get_all_user_ordered_products(); $no_products_found = empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ? 1 : 0;- + if ( ! empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ){- $args['post__in'] = $user_ordered_products;+ $args['include'] = $user_ordered_products; } if ( ! empty( $user_ordered_products ) && 'not-purchased' === $product_purchase_type ){- $args['post__not_in'] = $user_ordered_products;+ $args['exclude'] = array_merge( $args['exclude'] ?? [], $user_ordered_products ); } } }@@ -3294,7 +3294,7 @@ if( 'yes' !== $settings['enable_marquee'] ){ if ( file_exists( $template ) && $settings['image_dots'] === 'yes') {- $this->render_image_dots($query);+ $this->render_image_dots( $query ); } else { $this->render_dots(); }@@ -3325,7 +3325,7 @@ <?php } } - protected function render_image_dots($query)+ protected function render_image_dots( $query ) { $settings = $this->get_settings_for_display(); @@ -3411,7 +3411,141 @@ } /**- * Build proper query to fetch product data from wp query+ * Build proper query to fetch product data from WC_Product_Query+ * @return array+ */+ public function product_wc_query_builder(){+ $settings = $this->get_settings_for_display();+ $widget_id = esc_attr( $this->get_id() );+ $settings[ 'eael_widget_id' ] = $widget_id;+ $order_by = $settings[ 'orderby' ];+ $filter = $settings[ 'eael_product_carousel_product_filter' ];+ $args = [+ 'status' => !empty( $settings['eael_product_carousel_products_status'] ) ? $settings['eael_product_carousel_products_status'] : ['publish'],+ 'limit' => $settings[ 'eael_product_carousel_products_count' ] ?: 4,+ 'order' => $settings[ 'order' ],+ 'offset' => $settings[ 'product_offset' ],+ 'exclude' => array( get_the_ID() ),+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible',+ ];++ // Handle orderby with WC_Product_Query native parameters+ if ( $order_by == '_price' ) {+ $args[ 'orderby' ] = 'price';+ } elseif ( $order_by == '_sku' ) {+ $args[ 'orderby' ] = 'sku';+ } else {+ $args[ 'orderby' ] = $order_by;+ }++ if ( $filter == 'featured-products' ) {+ $args[ 'featured' ] = true;+ }++ if ( $filter == 'best-selling-products' ) {+ $args[ 'orderby' ] = 'total_sales';+ $args[ 'order' ] = 'DESC';+ }++ if ( $filter == 'top-products' ) {+ $args[ 'orderby' ] = 'average_rating';+ $args[ 'order' ] = 'DESC';+ }++ if ( $filter == 'related-products' ) {+ $current_product_id = get_the_ID();+ $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', array( 'fields' => 'ids' ) );+ $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', array('fields' => 'names' ) );+ $args['tax_query'] = array(+ 'relation' => 'OR',+ array(+ 'taxonomy' => 'product_cat',+ 'field' => 'term_id',+ 'terms' => $product_categories,+ 'operator' => 'IN',+ ),+ array(+ 'taxonomy' => 'product_tag',+ 'field' => 'name',+ 'terms' => $product_tags,+ 'operator' => 'IN',+ ),+ );+ }++ if ( get_option( 'woocommerce_hide_out_of_stock_items' ) == 'yes' ) {+ $args[ 'stock_status' ] = 'instock';+ }++ // Handle on sale products exclusion+ if ( 'yes' !== $settings['eael_product_carousel_show_onsale'] ) {+ $on_sale_ids = wc_get_product_ids_on_sale();+ if ( ! empty( $on_sale_ids ) ) {+ $args['post__not_in'] = isset( $args['post__not_in'] ) ?+ array_merge( $args['post__not_in'], $on_sale_ids ) :+ $on_sale_ids;+ }+ }++ if ( $filter == 'sale-products' ) {+ $sale_ids = wc_get_product_ids_on_sale();+ $args['include'] = !empty( $sale_ids ) ? $sale_ids : [ 0 ];+ }++ if ( $filter == 'manual' ) {+ $args['include'] = ! empty( $settings['eael_product_carousel_products_in'] ) ? $settings['eael_product_carousel_products_in'] : [ 0 ];+ }+++ // Handle taxonomy filters+ $taxonomies = get_taxonomies( [ 'object_type' => [ 'product' ] ], 'objects' );+ foreach ( $taxonomies as $object ) {+ echo_pre( $object );+ $setting_key = $object->name . '_ids';++ if ( empty( $settings[ $setting_key ] ) ) {+ continue;+ }++ $terms = get_terms( [+ 'taxonomy' => $object->name,+ 'include' => $settings[ $setting_key ],+ 'hide_empty' => false,+ ] );++ if ( empty( $terms ) || is_wp_error( $terms ) ) {+ continue;+ }++ $slugs = wp_list_pluck( $terms, 'slug' );++ // Categories+ if ( $object->name === 'product_cat' ) {+ $args['category'] = $slugs;+ continue;+ }++ // Tags+ if ( $object->name === 'product_tag' ) {+ $args['tag'] = $slugs;+ continue;+ }++ // Attributes+ if ( strpos( $object->name, 'pa_' ) === 0 ) {+ $args['attribute'] = substr( $object->name, 3 );+ $args['attribute_term'] = $slugs;+ continue;+ }+ }++ return $args;+ }++ /**+ * Build proper query to fetch product data from wp_query * @return array */ public function product_query_builder(){@@ -3537,6 +3671,82 @@ return $args; } + /**+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args Original WP_Query arguments+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ public function convert_wp_query_args_to_wc_product_query( $wp_args, $settings = [] ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible'+ ];++ // Parameter mapping+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $wp_args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $wp_args[ $wp_key ];+ }+ }++ // Handle other parameters+ $direct_copy = [ 'orderby', 'order', 'offset' ];+ foreach ( $direct_copy as $key ) {+ if ( isset( $wp_args[ $key ] ) ) {+ $wc_args[ $key ] = $wp_args[ $key ];+ }+ }++ // Handle search+ if ( isset( $wp_args['s'] ) ) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Preserve complex queries+ if ( isset( $wp_args['meta_query'] ) ) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if ( isset( $wp_args['tax_query'] ) ) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key/meta_value+ if ( isset( $wp_args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = [ 'relation' => 'AND' ];+ }+ $meta_query = [ 'key' => $wp_args['meta_key'] ];+ if ( isset( $wp_args['meta_value'] ) ) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if ( isset( $wp_args['meta_compare'] ) ) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Apply settings-based parameters+ if ( ! empty( $settings['eael_product_carousel_products_status'] ) ) {+ $wc_args['status'] = array_intersect(+ (array) $settings['eael_product_carousel_products_status'],+ [ 'publish', 'draft', 'pending', 'future' ]+ );+ }++ return $wc_args;+ }+ public function load_quick_view_asset(){ add_action('wp_footer',function (){ if ( version_compare( WC()->version, '3.0.0', '>=' ) ) {
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)** - CWE-79 - includes/Elements/Woo_Product_Carousel.php - Line 3417
Old Code:
```php
$widget_id = esc_attr( $this->get_id() );
```
Fixed Code:
```php
$widget_id = esc_attr( $this->get_id() );
```
Explanation:
While the code does use `esc_attr()`, the vulnerability exists in how `$widget_id` is used. The assignment is identical in both versions, so this is NOT a fix. However, examining the broader context, the variable `$widget_id` is stored in settings array at line 3418 (`$settings[ 'eael_widget_id' ] = $widget_id;`) but there's no evidence in this diff that it's being properly escaped when later output in HTML contexts. The fix appears incomplete if this value is used in HTML output elsewhere.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of SQL Command ('SQL Injection')** - CWE-89 - includes/Elements/Woo_Product_Carousel.php - Lines 3475-3478
Old Code:
```php
$args['post__not_in'] = isset( $args['post__not_in'] ) ?
array_merge( $args['post__not_in'], $on_sale_ids ) :
$on_sale_ids;
```
Fixed Code:
```php
$args['post__not_in'] = isset( $args['post__not_in'] ) ?
array_merge( $args['post__not_in'], $on_sale_ids ) :
$on_sale_ids;
```
Explanation:
The code in the new `product_wc_query_builder()` method uses `'post__not_in'` parameter (line 3475-3478), which is a WP_Query parameter but not compatible with WC_Product_Query. The function is supposed to build WC_Product_Query arguments (per the docstring), but it's using deprecated WP_Query syntax. This could lead to the parameter being ignored and unintended products being displayed. However, this appears to be a logic error rather than a direct SQL injection vulnerability, as WordPress escapes these parameters internally.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
**Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)** - CWE-79 - includes/Elements/Woo_Product_Carousel.php - Line 3427
Old Code:
```php
(no prior code shown)
```
Fixed Code:
```php
echo_pre( $object );
```
Explanation:
The new code at line 3427 calls `echo_pre( $object )` which appears to be a debug function. This is a potential security concern because: (1) `echo_pre()` is likely a custom function not shown in this diff, (2) echoing object data directly without sanitization could expose sensitive information or allow XSS if the object properties contain user input, (3) debug output should not be in production code. Without seeing the `echo_pre()` function definition, it's uncertain if it properly escapes output, but having debug output in production code is itself a security concern.
---
**Vulnerability 4:**
Vulnerability Existed: not sure
**Missing Input Validation** - CWE-20 - includes/Elements/Woo_Product_Carousel.php - Lines 3493-3495
Old Code:
```php
(no prior code shown)
```
Fixed Code:
```php
if ( strpos( $object->name, 'pa_' ) === 0 ) {
$args['attribute'] = substr( $object->name, 3 );
$args['attribute_term'] = $slugs;
```
Explanation:
The code uses `substr()` on `$object->name` without validating its length. If `$object->name` is exactly 'pa_' or shorter, `substr()` could produce unexpected results. Additionally, `$slugs` (derived from taxonomy terms) is assigned directly to query arguments without additional sanitization beyond what `wp_list_pluck()` provides. While WordPress typically handles this safely, the assumption that taxonomy slugs are always safe should be validated.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Woo_Product_Gallery.php 2026-01-16 00:20:08.736178051 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Woo_Product_Gallery.php 2026-01-16 00:21:01.827509939 +0000@@ -2797,8 +2797,9 @@ if ( $settings[ 'post_type' ] === 'source_dynamic' && is_archive() || !empty( $_REQUEST[ 'post_type' ] ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended $settings[ 'posts_per_page' ] = $settings[ 'eael_product_gallery_products_count' ] ?: 3; $settings[ 'offset' ] = $settings[ 'product_offset' ];- $args = HelperClass::get_query_args( $settings );- $args = HelperClass::get_dynamic_args( $settings, $args );+ $wp_args = HelperClass::get_query_args( $settings );+ $wp_args = HelperClass::get_dynamic_args( $settings, $wp_args );+ $args = $this->convert_wp_query_args_to_wc_product_query( $wp_args, $settings ); } else { $args = $this->build_product_query( $settings ); }@@ -2829,13 +2830,13 @@ if ( in_array( $product_purchase_type, ['purchased', 'not-purchased'] ) ) { $user_ordered_products = HelperClass::eael_get_all_user_ordered_products(); $no_products_found = empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ? 1 : 0;- + if ( ! empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ){- $args['post__in'] = $user_ordered_products;+ $args['include'] = $user_ordered_products; } if ( ! empty( $user_ordered_products ) && 'not-purchased' === $product_purchase_type ){- $args['post__not_in'] = $user_ordered_products;+ $args['exclude'] = array_merge( $args['exclude'] ?? [], $user_ordered_products ); } } }@@ -2872,8 +2873,22 @@ global $wp_query; $query = $wp_query; $args = $wp_query->query_vars;+ $found_posts = $query->found_posts;+ $max_page = $query->max_num_pages; } else {- $query = new \WP_Query( $args );+ $wc_query = new \WC_Product_Query( $args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ $max_page = $products->max_num_pages;+ } else {+ $product_objects = $products;+ $found_posts = count( $products );+ $max_page = 1;+ } } $this->add_render_attribute( 'eael-post-appender', 'class', 'products eael-post-appender eael-post-appender-' . $this->get_id() );@@ -2893,20 +2908,44 @@ $this->add_render_attribute( 'eael-post-appender', 'data-ssi-desktop', $show_secondary_image ? 'yes' : 'no' ); echo '<ul '; $this->print_render_attribute_string( 'eael-post-appender' ); echo ' >';- if ( $query->have_posts() ) {- $found_posts = $query->found_posts - $offset;- $max_page = ceil( $found_posts / absint( $args['posts_per_page'] ) );- $args['max_page'] = $max_page;- $args['found_posts'] = $query->found_posts;-- while ( $query->have_posts() ) {- $query->the_post();- include( $template );++ if( $settings['post_type'] === 'archive' && is_archive() && $is_product_archive ){+ // Handle WP_Query for archive pages+ if ( $query->have_posts() ) {+ $args['max_page'] = $max_page;+ $args['found_posts'] = $found_posts;++ while ( $query->have_posts() ) {+ $query->the_post();+ include( $template );+ }+ wp_reset_postdata();+ } else {+ echo '<h2 class="eael-product-not-found">' . esc_html__( 'No Product Found', 'essential-addons-for-elementor-lite' ) . '</h2>'; }- wp_reset_postdata(); } else {- echo '<h2 class="eael-product-not-found">' . esc_html__( 'No Product Found', 'essential-addons-for-elementor-lite' ) . '</h2>';+ // Handle WC_Product_Query results+ if ( ! empty( $product_objects ) ) {+ $args['max_page'] = $max_page;+ $args['found_posts'] = $found_posts;+ $args['posts_per_page'] = $args['limit']; // For compatibility with load more++ do_action( 'eael_woo_before_product_loop' );++ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post );+ include( $template );+ }++ do_action( 'eael_woo_after_product_loop' );+ wp_reset_postdata();+ } else {+ echo '<h2 class="eael-product-not-found">' . esc_html__( 'No Product Found', 'essential-addons-for-elementor-lite' ) . '</h2>';+ } }+ echo '</ul>'; do_action( 'eael_woo_after_product_loop' ); @@ -2948,6 +2987,74 @@ } /**+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args Original WP_Query arguments+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ private function convert_wp_query_args_to_wc_product_query( $wp_args, $settings = [] ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible'+ ];++ // Parameter mapping+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $wp_args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $wp_args[ $wp_key ];+ }+ }++ // Handle other parameters+ $direct_copy = [ 'orderby', 'order', 'offset' ];+ foreach ( $direct_copy as $key ) {+ if ( isset( $wp_args[ $key ] ) ) {+ $wc_args[ $key ] = $wp_args[ $key ];+ }+ }++ // Handle search+ if ( isset( $wp_args['s'] ) ) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Preserve complex queries+ if ( isset( $wp_args['meta_query'] ) ) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if ( isset( $wp_args['tax_query'] ) ) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key/meta_value+ if ( isset( $wp_args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = [ 'relation' => 'AND' ];+ }+ $meta_query = [ 'key' => $wp_args['meta_key'] ];+ if ( isset( $wp_args['meta_value'] ) ) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if ( isset( $wp_args['meta_compare'] ) ) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ return $wc_args;+ }++ /** * build_product_query * @param $settings * @return array@@ -2960,50 +3067,43 @@ $product_tags_items = ! empty( $get_product_tags ) ? str_replace( ' ', '', $get_product_tags ) : ''; // Category retrieve- $cat_args = array(+ $cat_args = [ 'order' => 'ASC', 'hide_empty' => false, 'include' => $product_cats, 'orderby' => 'include',- );+ ]; // phpcs:ignore WordPress.WP.DeprecatedParameters.Get_termsParam2Found $product_categories = get_terms( 'product_cat', $cat_args ); // Tag retrieve- $tag_args = array(+ $tag_args = [ 'order' => 'ASC', 'hide_empty' => false, 'include' => $product_tags_items, 'orderby' => 'include',- );+ ]; // phpcs:ignore WordPress.WP.DeprecatedParameters.Get_termsParam2Found $product_tags = get_terms( 'product_tag', $tag_args );- ++ // Build WC_Product_Query arguments $args = [- 'post_type' => 'product',- 'post_status' => array( 'publish', 'pending', 'future' ),- 'posts_per_page' => $settings[ 'eael_product_gallery_products_count' ] ?: 4,- 'order' => ( isset( $settings[ 'order' ] ) ? $settings[ 'order' ] : 'desc' ),- 'offset' => $settings[ 'product_offset' ],- 'tax_query' => [- 'relation' => 'AND',- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => [ 'exclude-from-search', 'exclude-from-catalog' ],- 'operator' => 'NOT IN',- ],- ],+ 'status' => [ 'publish', 'pending', 'future' ],+ 'limit' => $settings[ 'eael_product_gallery_products_count' ] ?: 4,+ 'order' => isset( $settings[ 'order' ] ) ? $settings[ 'order' ] : 'desc',+ 'offset' => $settings[ 'product_offset' ],+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible', ];- // price & sku filter++ // Handle orderby with WC_Product_Query native parameters if ( $settings[ 'orderby' ] == '_price' ) {- $args[ 'orderby' ] = 'meta_value_num';- $args[ 'meta_key' ] = '_price';+ $args[ 'orderby' ] = 'price'; } else if ( $settings[ 'orderby' ] == '_sku' ) {- $args[ 'orderby' ] = 'meta_value_num';- $args[ 'meta_key' ] = '_sku';+ $args[ 'orderby' ] = 'sku'; } else {- $args[ 'orderby' ] = ( isset( $settings[ 'orderby' ] ) ? $settings[ 'orderby' ] : 'date' );+ $args[ 'orderby' ] = isset( $settings[ 'orderby' ] ) ? $settings[ 'orderby' ] : 'date'; } if ( !empty( $settings[ 'eael_product_gallery_categories' ] ) ) {@@ -3050,62 +3150,46 @@ } } - $args[ 'meta_query' ] = [ 'relation' => 'AND' ];+ // Handle stock status with WC_Product_Query native parameter $show_stock_out_products = isset( $settings['eael_product_out_of_stock_show'] ) ? $settings['eael_product_out_of_stock_show'] : 'yes'; if ( get_option( 'woocommerce_hide_out_of_stock_items' ) == 'yes' || 'yes' !== $show_stock_out_products ) {- $args[ 'meta_query' ][] = [- 'key' => '_stock_status',- 'value' => 'instock'- ];+ $args[ 'stock_status' ] = 'instock'; } + // Handle product filters with WC_Product_Query native parameters if ( $settings[ 'eael_product_gallery_product_filter' ] == 'featured-products' ) {- $args[ 'tax_query' ] = [- 'relation' => 'AND',- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => 'featured',- ],- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => [ 'exclude-from-search', 'exclude-from-catalog' ],- 'operator' => 'NOT IN',- ],- ];+ $args[ 'featured' ] = true; } else if ( $settings[ 'eael_product_gallery_product_filter' ] == 'best-selling-products' ) {- $args[ 'meta_key' ] = 'total_sales';- $args[ 'orderby' ] = 'meta_value_num';- $args[ 'order' ] = 'DESC';+ $args[ 'orderby' ] = 'total_sales';+ $args[ 'order' ] = 'DESC'; } else if ( $settings[ 'eael_product_gallery_product_filter' ] == 'sale-products' ) {- $args[ 'post__in' ] = array_merge( array( 0 ), wc_get_product_ids_on_sale() );+ $sale_ids = wc_get_product_ids_on_sale();+ $args[ 'include' ] = ! empty( $sale_ids ) ? $sale_ids : [ 0 ]; } else if ( $settings[ 'eael_product_gallery_product_filter' ] == 'top-products' ) {- $args[ 'meta_key' ] = '_wc_average_rating';- $args[ 'orderby' ] = 'meta_value_num';- $args[ 'order' ] = 'DESC';+ $args[ 'orderby' ] = 'average_rating';+ $args[ 'order' ] = 'DESC'; } else if( $settings[ 'eael_product_gallery_product_filter' ] == 'manual' ) {- $args['post__in'] = ! empty( $settings['eael_product_gallery_products_in'] ) ? $settings['eael_product_gallery_products_in'] : [ 0 ];+ $args['include'] = ! empty( $settings['eael_product_gallery_products_in'] ) ? $settings['eael_product_gallery_products_in'] : [ 0 ]; } else if ( $settings[ 'eael_product_gallery_product_filter' ] == 'related-products' ) { $current_product_id = get_the_ID();- $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', array( 'fields' => 'ids' ) );- $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', array( 'fields' => 'names' ) );- $args['tax_query'] = array(+ $product_categories = wp_get_post_terms( $current_product_id, 'product_cat', [ 'fields' => 'ids' ] );+ $product_tags = wp_get_post_terms( $current_product_id, 'product_tag', [ 'fields' => 'names' ] );+ $args['tax_query'] = [ 'relation' => isset( $settings['relation_cats_tags'] ) ? $settings['relation_cats_tags'] : 'OR',- array(+ [ 'taxonomy' => 'product_cat', 'field' => 'term_id', 'terms' => $product_categories, 'operator' => 'IN',- ),- array(+ ],+ [ 'taxonomy' => 'product_tag', 'field' => 'name', 'terms' => $product_tags, 'operator' => 'IN',- ),- );+ ],+ ]; } if( isset( $args_tax_query_combined ) ){
Let me analyze the security implications of this diff directly:
---
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: **yes**
**Improper Input Validation in Product Query Parameters - CWE-20** - CWE-20 - Woo_Product_Gallery.php (lines 2835, 2839)
**Old Code:**
```php
$args['post__in'] = $user_ordered_products;
$args['post__not_in'] = $user_ordered_products;
```
**Fixed Code:**
```php
$args['include'] = $user_ordered_products;
$args['exclude'] = array_merge( $args['exclude'] ?? [], $user_ordered_products );
```
**Explanation:**
The original code used WordPress post query parameters (`post__in`, `post__not_in`) that directly accept array input without strict validation. The migration to WooCommerce's native `WC_Product_Query` parameters (`include`, `exclude`) provides better type safety and input validation through WooCommerce's dedicated query API. The fix also properly handles the case where `exclude` may already exist using `array_merge()`, preventing duplicate entries and array structure issues.
---
**Vulnerability 2:**
Vulnerability Existed: **yes**
**Unsafe Meta Query Construction - CWE-89** - CWE-89 - Woo_Product_Gallery.php (lines 3150-3157)
**Old Code:**
```php
$args[ 'meta_query' ] = [ 'relation' => 'AND' ];
// ...
$args[ 'meta_query' ][] = [
'key' => '_stock_status',
'value' => 'instock'
];
```
**Fixed Code:**
```php
// Handle stock status with WC_Product_Query native parameter
$args[ 'stock_status' ] = 'instock';
```
**Explanation:**
The old code constructed custom meta queries that, while WordPress-escaped at query time, involved manual array building of meta parameters. By switching to WooCommerce's native `WC_Product_Query` parameters (`stock_status`), the code eliminates potential for meta query misuse and relies on WooCommerce's built-in, audited parameter handling. This reduces the attack surface by avoiding direct meta key/value manipulation.
---
**Vulnerability 3:**
Vulnerability Existed: **yes**
**Improper Taxonomy Query Handling - CWE-20** - CWE-20 - Woo_Product_Gallery.php (lines 3160-3171)
**Old Code:**
```php
$args[ 'tax_query' ] = [
'relation' => 'AND',
[
'taxonomy' => 'product_visibility',
'field' => 'name',
'terms' => 'featured',
],
[
'taxonomy' => 'product_visibility',
'field' => 'name',
'terms' => [ 'exclude-from-search', 'exclude-from-catalog' ],
'operator' => 'NOT IN',
],
];
```
**Fixed Code:**
```php
$args[ 'featured' ] = true;
```
**Explanation:**
The original code manually constructed taxonomy queries with multiple conditions. While WordPress sanitizes taxonomy queries, direct manual construction increases complexity and potential for misconfiguration. The fix uses WooCommerce's native `featured` parameter, which is a dedicated, type-safe parameter that eliminates the need for complex taxonomy query construction. This reduces the potential for injection or logic errors.
---
**Vulnerability 4:**
Vulnerability Existed: **yes**
**Query Parameter Type Mismatch - CWE-20** - CWE-20 - Woo_Product_Gallery.php (lines 2875-2890)
**Old Code:**
```php
$query = new \WP_Query( $args );
```
**Fixed Code:**
```php
$wc_query = new \WC_Product_Query( $args );
$products = $wc_query->get_products();
// ... proper type handling with fallback checks
```
**Explanation:**
The original code passed WordPress `WP_Query` parameters directly to queries that should have used `WC_Product_Query`. This parameter mismatch could lead to unexpected behavior or security issues if unsanitized parameters intended for one query type were interpreted by another. The fix creates the proper query type with appropriate parameter conversion via the new `convert_wp_query_args_to_wc_product_query()` method, ensuring type safety and parameter validation.
---
**Summary:** The diff addresses 4 distinct security concerns by migrating from manual, error-prone query construction to WooCommerce's native, validated API methods. These changes follow the principle of using framework-provided abstractions rather than manual SQL-adjacent query building, reducing the attack surface for injection and parameter tampering vulnerabilities.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Elements/Woo_Product_List.php 2026-01-16 00:20:08.740178302 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Elements/Woo_Product_List.php 2026-01-16 00:21:02.027522482 +0000@@ -3939,96 +3939,146 @@ } /**- * Prepare product query+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args Original WP_Query arguments+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ public function convert_wp_query_args_to_wc_product_query($wp_args, $settings = []) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible'+ ];++ // Parameter mapping+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ($arg_mapping as $wp_key => $wc_key) {+ if (isset($wp_args[$wp_key])) {+ $wc_args[$wc_key] = $wp_args[$wp_key];+ }+ }++ // Handle other parameters+ $direct_copy = ['orderby', 'order', 'offset'];+ foreach ($direct_copy as $key) {+ if (isset($wp_args[$key])) {+ $wc_args[$key] = $wp_args[$key];+ }+ }++ // Handle search+ if (isset($wp_args['s'])) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Preserve complex queries+ if (isset($wp_args['meta_query'])) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if (isset($wp_args['tax_query'])) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key/meta_value+ if (isset($wp_args['meta_key'])) {+ if (!isset($wc_args['meta_query'])) {+ $wc_args['meta_query'] = ['relation' => 'AND'];+ }+ $meta_query = ['key' => $wp_args['meta_key']];+ if (isset($wp_args['meta_value'])) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if (isset($wp_args['meta_compare'])) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Apply settings-based parameters+ if (!empty($settings['eael_product_list_products_status'])) {+ $wc_args['status'] = array_intersect(+ (array) $settings['eael_product_list_products_status'],+ ['publish', 'draft', 'pending', 'future']+ );+ }++ return $wc_args;+ }++ /**+ * Prepare product query using WC_Product_Query * @param $settings * @return array */ public function eael_prepare_product_query( $settings ) {- $args = [- 'post_type' => 'product',+ $wc_args = [ 'order' => ! empty( $settings['order'] ) ? sanitize_text_field( $settings['order'] ) : 'desc',- 'post_status' => ! empty( $settings['eael_product_list_products_status'] ) ? $settings['eael_product_list_products_status'] : [ 'publish', 'pending', 'future' ],- 'posts_per_page' => ! empty( $settings['eael_woo_product_list_products_count'] ) ? intval( $settings['eael_woo_product_list_products_count'] ) : 4,+ 'status' => ! empty( $settings['eael_product_list_products_status'] ) ? $settings['eael_product_list_products_status'] : [ 'publish', 'pending', 'future' ],+ 'limit' => ! empty( $settings['eael_woo_product_list_products_count'] ) ? intval( $settings['eael_woo_product_list_products_count'] ) : 4, 'offset' => ! empty( $settings['product_offset'] ) ? intval( $settings['product_offset'] ) : 0,- 'tax_query' => [- 'relation' => 'AND',- [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => ['exclude-from-search', 'exclude-from-catalog'],- 'operator' => 'NOT IN',- ],- ],+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible', ]; - // Order by+ // Order by - use WC_Product_Query native parameters when possible if ( '_price' === $settings['orderby'] ) {- $args['orderby'] = 'meta_value_num';- $args['meta_key'] = '_price';+ $wc_args['orderby'] = 'price'; } else if ( '_sku' === $settings['orderby'] ) {- $args['orderby'] = 'meta_value meta_value_num';- $args['meta_key'] = '_sku';+ $wc_args['orderby'] = 'sku'; } else {- $args['orderby'] = ! empty( $settings['orderby'] ) ? sanitize_text_field( $settings['orderby'] ) : 'date';+ $wc_args['orderby'] = ! empty( $settings['orderby'] ) ? sanitize_text_field( $settings['orderby'] ) : 'date'; } - // Categories+ // Categories - use native WC parameter when possible if ( ! empty( $settings['eael_product_list_categories'] ) && is_array( $settings['eael_product_list_categories'] ) ) {- $args['tax_query'][] = [- 'taxonomy' => 'product_cat',- 'field' => 'slug',- 'terms' => $settings['eael_product_list_categories'],- 'operator' => 'IN',- ];+ $wc_args['category'] = $settings['eael_product_list_categories']; } - $args['meta_query'] = [- 'relation' => 'AND',- ];-- // Stock settings+ // Stock settings - use native WC parameter if ( 'yes' === get_option( 'woocommerce_hide_out_of_stock_items' ) || 'yes' !== $settings['eael_product_show_stockout'] ) {- $args['meta_query'][] = [- 'key' => '_stock_status',- 'value' => 'instock'- ];+ $wc_args['stock_status'] = 'instock'; } - // Filter by+ // Filter by - use WC_Product_Query native parameters when possible switch( $settings['eael_product_list_product_filter'] ){ case 'featured-products':- $args['tax_query'][] = [- 'taxonomy' => 'product_visibility',- 'field' => 'name',- 'terms' => 'featured',- ];+ $wc_args['featured'] = true; break; case 'best-selling-products':- $args['meta_key'] = 'total_sales';- $args['orderby'] = 'meta_value_num';- $args['order'] = 'desc';+ $wc_args['orderby'] = 'total_sales';+ $wc_args['order'] = 'desc'; break;- + case 'sale-products':- $args['post__in'] = array_merge( array( 0 ), wc_get_product_ids_on_sale() );+ $sale_ids = wc_get_product_ids_on_sale();+ $wc_args['include'] = !empty($sale_ids) ? $sale_ids : [0]; break;- + case 'top-products':- $args['meta_key'] = '_wc_average_rating';- $args['orderby'] = 'meta_value_num';- $args['order'] = 'desc';+ $wc_args['orderby'] = 'average_rating';+ $wc_args['order'] = 'desc'; break;- + case 'manual':- $args['post__in'] = ! empty( $settings['eael_product_list_products_in'] ) ? $settings['eael_product_list_products_in'] : [ 0 ];+ $wc_args['include'] = ! empty( $settings['eael_product_list_products_in'] ) ? $settings['eael_product_list_products_in'] : [ 0 ]; break; default: break; } - return $args;+ return $wc_args; } protected function render() {@@ -4043,8 +4093,9 @@ if ( 'source_dynamic' === $settings['post_type'] && is_archive() || ! empty( $_REQUEST['post_type'] ) ) { //phpcs:ignore WordPress.Security.NonceVerification.Recommended $settings['posts_per_page'] = ! empty( $settings['eael_woo_product_list_products_count'] ) ? intval( $settings['eael_woo_product_list_products_count'] ) : 4; $settings['offset'] = ! empty( $settings['product_offset'] ) ? intval( $settings['product_offset'] ) : 0;- $args = ClassesHelper::get_query_args( $settings );- $args = ClassesHelper::get_dynamic_args( $settings, $args );+ $wp_args = ClassesHelper::get_query_args( $settings );+ $wp_args = ClassesHelper::get_dynamic_args( $settings, $wp_args );+ $args = $this->convert_wp_query_args_to_wc_product_query( $wp_args, $settings ); } else { $args = $this->eael_prepare_product_query( $settings ); }@@ -4059,11 +4110,14 @@ $no_products_found = empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ? 1 : 0; if ( ! empty( $user_ordered_products ) && 'purchased' === $product_purchase_type ){- $args['post__in'] = $user_ordered_products;+ $args['include'] = $user_ordered_products; } if ( ! empty( $user_ordered_products ) && 'not-purchased' === $product_purchase_type ){- $args['post__not_in'] = $user_ordered_products;+ $args['exclude'] = array_merge(+ $args['exclude'] ?? [],+ $user_ordered_products+ ); } } }@@ -4093,25 +4147,58 @@ if( $settings['post_type'] === 'source_archive' && is_archive() && $is_product_archive ){ global $wp_query; $query = $wp_query;- $args = $wp_query->query_vars;+ $wp_args = $wp_query->query_vars;+ $found_posts = $query->found_posts;+ $max_page = $query->max_num_pages; } else {- $query = new \WP_Query( $args );+ // Use WC_Product_Query for custom queries+ $wc_query = new \WC_Product_Query( $args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ $max_page = $products->max_num_pages;+ } else {+ $product_objects = $products;+ $found_posts = count( $products );+ $max_page = 1;+ } }- - if ( $query->have_posts() ) {- // Load more data- $found_posts = $query->found_posts - $offset;- $max_page = ceil( $found_posts / absint( $args['posts_per_page'] ) );- $args['max_page'] = $max_page;- $args['total_post'] = $found_posts;-- while ( $query->have_posts() ) {- $query->the_post();- include( realpath( $template ) );++ // Handle archive queries with WP_Query+ if( $settings['post_type'] === 'source_archive' && is_archive() && $is_product_archive ){+ if ( $query->have_posts() ) {+ // Load more data+ $args['max_page'] = $max_page;+ $args['total_post'] = $found_posts;++ while ( $query->have_posts() ) {+ $query->the_post();+ include( realpath( $template ) );+ }+ wp_reset_postdata();+ } else {+ printf( '<p class="no-posts-found">%s</p>', esc_html( $woo_product_list['products_not_found_text'] ) ); }- wp_reset_postdata(); } else {- printf( '<p class="no-posts-found">%s</p>', esc_html( $woo_product_list['products_not_found_text'] ) );+ // Handle WC_Product_Query results+ if ( ! empty( $product_objects ) ) {+ // Load more data+ $args['max_page'] = $max_page;+ $args['total_post'] = $found_posts;++ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post );+ include( realpath( $template ) );+ }+ wp_reset_postdata();+ } else {+ printf( '<p class="no-posts-found">%s</p>', esc_html( $woo_product_list['products_not_found_text'] ) );+ } } } else { echo '<p class="eael-no-posts-found">' . esc_html__( 'No layout found!', 'essential-addons-for-elementor-lite' ) . '</p>';@@ -4121,8 +4208,13 @@ ?> </div> - <?php - if ( ! empty( $args['posts_per_page'] ) && $found_posts > $args['posts_per_page'] ) {+ <?php+ $limit = $args['limit'] ?? $args['posts_per_page'] ?? 4;+ if ( $found_posts > $limit ) {+ // Ensure args has posts_per_page for load more compatibility+ if ( ! isset( $args['posts_per_page'] ) ) {+ $args['posts_per_page'] = $limit;+ } $this->print_load_more_button( $settings, $args, $dir_name ); } ?>
Let me analyze the diff content provided for security vulnerabilities.
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation & Sanitization - CWE-20 - includes/Elements/Woo_Product_List.php - Lines 3982-3988
Old Code:
```php
foreach ($arg_mapping as $wp_key => $wc_key) {
if (isset($wp_args[$wp_key])) {
$wc_args[$wc_key] = $wp_args[$wp_key];
}
}
```
Fixed Code:
```php
[No direct fix visible in diff - vulnerability persists]
```
Explanation:
The `convert_wp_query_args_to_wc_product_query()` function accepts `$wp_args` parameter which is populated from `ClassesHelper::get_dynamic_args()` output. The function copies unsanitized values like `'post_status'`, `'post__in'`, `'post__not_in'`, `'author__in'`, `'paged'` directly into WC_Product_Query arguments without validation. While the original code sanitized `order` parameter with `sanitize_text_field()`, these array values are passed through without sanitization, potentially allowing SQL injection or data manipulation through the query parameters.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Unsafe Path Traversal - CWE-22 - includes/Elements/Woo_Product_List.php - Lines 4144, 4163
Old Code:
```php
include( realpath( $template ) );
```
Fixed Code:
```php
include( realpath( $template ) );
```
Explanation:
While `realpath()` is used, the `$template` variable's origin and validation are not shown in this diff. However, the security concern persists: if `$template` is derived from user input or settings without proper validation, `realpath()` alone doesn't prevent arbitrary file inclusion. The code should validate that the resolved path is within expected directories before inclusion.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Insufficient Validation of Category/Product IDs - CWE-20 - includes/Elements/Woo_Product_List.php - Lines 3956-3958, 4008-4010
Old Code:
```php
// Categories
if ( ! empty( $settings['eael_product_list_categories'] ) && is_array( $settings['eael_product_list_categories'] ) ) {
$args['tax_query'][] = [
'taxonomy' => 'product_cat',
'field' => 'slug',
'terms' => $settings['eael_product_list_categories'],
```
Fixed Code:
```php
// Categories - use native WC parameter when possible
if ( ! empty( $settings['eael_product_list_categories'] ) && is_array( $settings['eael_product_list_categories'] ) ) {
$wc_args['category'] = $settings['eael_product_list_categories'];
}
```
Explanation:
The fix changes from explicit taxonomy query construction to passing category values directly to WC_Product_Query. Without seeing sanitization of `$settings['eael_product_list_categories']` values, this could be uncertain. The original approach with `'field' => 'slug'` was slightly safer since slugs have format restrictions. Direct parameter passing could be vulnerable if values aren't validated, though WC_Product_Query may handle this internally.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Product ID Array Handling - CWE-20 - includes/Elements/Woo_Product_List.php - Lines 4013-4015
Old Code:
```php
case 'sale-products':
$args['post__in'] = array_merge( array( 0 ), wc_get_product_ids_on_sale() );
```
Fixed Code:
```php
case 'sale-products':
$sale_ids = wc_get_product_ids_on_sale();
$wc_args['include'] = !empty($sale_ids) ? $sale_ids : [0];
```
Explanation:
The old code always includes `0` in the array (via `array_merge( array( 0 ), ... )`), which may be intentional for "no products" fallback but is unconventional. The new code is cleaner but both versions lack type validation. If `wc_get_product_ids_on_sale()` returns non-integer values or if the array is user-manipulable elsewhere, this could cause SQL injection. The fix improves clarity but doesn't add validation.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
Missing Sanitization on Meta Query Parameters - CWE-20 - includes/Elements/Woo_Product_List.php - Lines 3996-4007
Old Code:
```php
if (isset($wp_args['meta_key'])) {
if (!isset($wc_args['meta_query'])) {
$wc_args['meta_query'] = ['relation' => 'AND'];
}
$meta_query = ['key' => $wp_args['meta_key']];
if (isset($wp_args['meta_value'])) {
$meta_query['value'] = $wp_args['meta_value'];
}
if (isset($wp_args['meta_compare'])) {
$meta_query['compare'] = $wp_args['meta_compare'];
}
$wc_args['meta_query'][] = $meta_query;
}
```
Fixed Code:
```php
[No changes to this section - vulnerability persists]
```
Explanation:
The `meta_compare` parameter is copied directly from `$wp_args` without validation. Valid values should be limited to: `=`, `!=`, `>`, `>=`, `<`, `<=`, `LIKE`, `NOT LIKE`, `IN`, `NOT IN`, `BETWEEN`, `NOT BETWEEN`, `EXISTS`, `NOT EXISTS`. Accepting arbitrary values could lead to SQL injection if the WC_Product_Query doesn't properly escape this parameter.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Template/Content/Woo_Product_List.php 2026-01-16 00:20:08.740178302 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Template/Content/Woo_Product_List.php 2026-01-16 00:21:02.183532265 +0000@@ -9,12 +9,34 @@ trait Woo_Product_List { public static function render_template_( $args, $settings ) {- $query = new \WP_Query( $args ); ob_start();- if ( $query->have_posts() ) {- while ( $query->have_posts() ) {- $query->the_post();- $product = wc_get_product( get_the_ID() );++ // Check if args are already WC_Product_Query compatible or need conversion+ if ( isset( $args['post_type'] ) && $args['post_type'] === 'product' ) {+ // Convert WP_Query args to WC_Product_Query args for backward compatibility+ $wc_args = self::convert_wp_query_args_to_wc_product_query( $args, $settings );+ } else {+ // Assume args are already WC_Product_Query compatible+ $wc_args = $args;+ }++ // Use WC_Product_Query for better performance+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ } else {+ $product_objects = $products;+ }++ if ( ! empty( $product_objects ) ) {+ foreach ( $product_objects as $product_obj ) {+ global $post;+ $post = get_post( $product_obj->get_id() );+ setup_postdata( $post );+ $product = $product_obj; if ( $settings['eael_woo_product_list_style_preset'] == 'eael-product-simple' || $settings['eael_woo_product_list_style_preset'] == 'eael-product-reveal' ) { ?> <li class="product"> <a href="<?php echo esc_url( $product->get_permalink() ); ?>" class="woocommerce-LoopProduct-link woocommerce-loop-product__link">@@ -99,14 +121,87 @@ wc_get_template_part( 'content', 'product' ); } }+ wp_reset_postdata(); } else {- printf( '<p class="no-posts-found">%</p>', esc_html__( 'No products found!', 'essential-addons-for-elementor-lite' ) );-+ printf( '<p class="no-posts-found">%s</p>', esc_html__( 'No products found!', 'essential-addons-for-elementor-lite' ) ); } - wp_reset_postdata();- ?>- <?php return ob_get_clean(); }++ /**+ * Convert WP_Query arguments to WC_Product_Query arguments+ * @param array $wp_args Original WP_Query arguments+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ private static function convert_wp_query_args_to_wc_product_query($wp_args, $settings = []) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ 'visibility' => 'visible'+ ];++ // Parameter mapping+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ($arg_mapping as $wp_key => $wc_key) {+ if (isset($wp_args[$wp_key])) {+ $wc_args[$wc_key] = $wp_args[$wp_key];+ }+ }++ // Handle other parameters+ $direct_copy = ['orderby', 'order', 'offset'];+ foreach ($direct_copy as $key) {+ if (isset($wp_args[$key])) {+ $wc_args[$key] = $wp_args[$key];+ }+ }++ // Handle search+ if (isset($wp_args['s'])) {+ $wc_args['search'] = $wp_args['s'];+ }++ // Preserve complex queries+ if (isset($wp_args['meta_query'])) {+ $wc_args['meta_query'] = $wp_args['meta_query'];+ }+ if (isset($wp_args['tax_query'])) {+ $wc_args['tax_query'] = $wp_args['tax_query'];+ }++ // Handle meta_key/meta_value+ if (isset($wp_args['meta_key'])) {+ if (!isset($wc_args['meta_query'])) {+ $wc_args['meta_query'] = ['relation' => 'AND'];+ }+ $meta_query = ['key' => $wp_args['meta_key']];+ if (isset($wp_args['meta_value'])) {+ $meta_query['value'] = $wp_args['meta_value'];+ }+ if (isset($wp_args['meta_compare'])) {+ $meta_query['compare'] = $wp_args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Apply settings-based parameters+ if (!empty($settings['eael_product_list_products_status'])) {+ $wc_args['status'] = array_intersect(+ (array) $settings['eael_product_list_products_status'],+ ['publish', 'draft', 'pending', 'future']+ );+ }++ return $wc_args;+ } }
Analyzing the provided code diff for security vulnerabilities...
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**CWE-74: Improper Neutralization of Special Elements in Output ('Injection')**
CWE-74 - includes/Template/Content/Woo_Product_List.php - Lines 124-125
**Old Code:**
```php
printf( '<p class="no-posts-found">%</p>', esc_html__( 'No products found!', 'essential-addons-for-elementor-lite' ) );
```
**Fixed Code:**
```php
printf( '<p class="no-posts-found">%s</p>', esc_html__( 'No products found!', 'essential-addons-for-elementor-lite' ) );
```
**Explanation:**
The old code had an incomplete printf format string `%` instead of `%s`. This would cause the second argument (the escaped string) to be ignored and not printed, effectively losing the intended output. While the string itself is properly escaped with `esc_html__()`, the missing format specifier could lead to unexpected behavior. The fix corrects this to `%s` to properly interpolate the escaped string.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**CWE-94: Improper Control of Generation of Code ('Code Injection')**
CWE-94 - includes/Template/Content/Woo_Product_List.php - Lines 159-161
**Old Code:**
```php
// No direct handling of user-supplied metadata in old code
```
**Fixed Code:**
```php
// Handle meta_key/meta_value
if (isset($wp_args['meta_key'])) {
if (!isset($wc_args['meta_query'])) {
$wc_args['meta_query'] = ['relation' => 'AND'];
}
$meta_query = ['key' => $wp_args['meta_key']];
if (isset($wp_args['meta_value'])) {
$meta_query['value'] = $wp_args['meta_value'];
}
```
**Explanation:**
The new code constructs meta_query arrays from user-supplied `$wp_args` without explicit sanitization or validation. While WooCommerce's `WC_Product_Query` should handle escaping internally, there is potential risk if `$wp_args` originates from untrusted sources. The code assumes the conversion layer properly validates inputs, but direct meta_key/meta_value passthrough without validation checks could be problematic if the source is untrusted widget settings.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
**CWE-918: Server-Side Request Forgery (SSRF)**
CWE-918 - includes/Template/Content/Woo_Product_List.php - Lines 23-25
**Old Code:**
```php
$query = new \WP_Query( $args );
```
**Fixed Code:**
```php
$wc_query = new \WC_Product_Query( $wc_args );
$products = $wc_query->get_products();
```
**Explanation:**
The new code uses `WC_Product_Query` which is more restrictive than generic `WP_Query`. However, the `convert_wp_query_args_to_wc_product_query()` function passes through user-controlled arguments including `offset`, `orderby`, and taxonomy queries without validation. If `$settings` originates from untrusted widget configuration, this could potentially be exploited. The fix is an improvement in architecture but retains potential risk if input validation isn't enforced upstream.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Traits/Ajax_Handler.php 2026-01-16 00:20:08.756179307 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Traits/Ajax_Handler.php 2026-01-16 00:21:04.531679508 +0000@@ -171,6 +171,9 @@ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' ) { do_action( 'eael_woo_before_product_loop', $settings['eael_product_grid_style_preset'] ); }+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ do_action( 'eael/woo-product-list/before-product-loop' );+ } // ensure control name compatibility to old code if it is post block if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Post_Block' ) { $settings ['post_block_hover_animation'] = $settings['eael_post_block_hover_animation'];@@ -283,39 +286,90 @@ if ( $file_path ) { // wp_send_json( $args );- $query = new \WP_Query( $args );- $found_posts = $query->found_posts;- $iterator = 0;-- if ( $query->have_posts() ) {- if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' && boolval( $settings['show_add_to_cart_custom_text'] ) ) {-- $add_to_cart_text = [- 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],- 'add_to_cart_variable_product_button_text' => $settings['add_to_cart_variable_product_button_text'],- 'add_to_cart_grouped_product_button_text' => $settings['add_to_cart_grouped_product_button_text'],- 'add_to_cart_external_product_button_text' => $settings['add_to_cart_external_product_button_text'],- 'add_to_cart_default_product_button_text' => $settings['add_to_cart_default_product_button_text'],- ];- $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ // Use WC_Product_Query for Product_Grid and Woo_Product_List, WP_Query for others+ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' || $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ // Convert args to WC_Product_Query format+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ } else {+ $product_objects = $products;+ $found_posts = count( $products ); } - if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Dynamic_Filterable_Gallery' ) {- $html .= "<div class='found_posts' style='display: none;'>{$found_posts}</div>";- }+ $iterator = 0;++ if ( ! empty( $product_objects ) ) {+ // Handle custom add to cart text for Product_Grid+ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' && boolval( $settings['show_add_to_cart_custom_text'] ) ) {+ $add_to_cart_text = [+ 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],+ 'add_to_cart_variable_product_button_text' => $settings['add_to_cart_variable_product_button_text'],+ 'add_to_cart_grouped_product_button_text' => $settings['add_to_cart_grouped_product_button_text'],+ 'add_to_cart_external_product_button_text' => $settings['add_to_cart_external_product_button_text'],+ 'add_to_cart_default_product_button_text' => $settings['add_to_cart_default_product_button_text'],+ ];+ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ } - while ( $query->have_posts() ) {- $query->the_post();+ // Handle custom add to cart text for Woo_Product_List+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' && boolval( $settings['eael_product_list_content_footer_add_to_cart_custom_text_show'] ) ) {+ $add_to_cart_text = [+ 'add_to_cart_simple_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_simple_text'],+ 'add_to_cart_variable_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_variable_text'],+ 'add_to_cart_grouped_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_grouped_text'],+ 'add_to_cart_external_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_external_text'],+ 'add_to_cart_default_product_button_text' => $settings['eael_product_list_content_footer_add_to_cart_default_text'],+ ];+ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text );+ } - $html .= HelperClass::include_with_variable( $file_path, [- 'settings' => $settings,- 'link_settings' => $link_settings,- 'iterator' => $iterator- ] );- $iterator ++;+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post );++ $html .= HelperClass::include_with_variable( $file_path, [+ 'settings' => $settings,+ 'link_settings' => $link_settings,+ 'iterator' => $iterator+ ] );+ $iterator ++;+ }+ wp_reset_postdata();+ } else {+ $html .= __( '<p class="no-posts-found">No posts found!</p>', 'essential-addons-for-elementor-lite' ); } } else {- $html .= '<p class="no-posts-found">' . esc_html__( 'No posts found!', 'essential-addons-for-elementor-lite' ) . '</p>';+ // Use WP_Query for non-product widgets+ $query = new \WP_Query( $args );+ $found_posts = $query->found_posts;+ $iterator = 0;++ if ( $query->have_posts() ) {+ if ( $class === '\Essential_Addons_Elementor\Pro\Elements\Dynamic_Filterable_Gallery' ) {+ $html .= "<div class='found_posts' style='display: none;'>{$found_posts}</div>";+ }++ while ( $query->have_posts() ) {+ $query->the_post();++ $html .= HelperClass::include_with_variable( $file_path, [+ 'settings' => $settings,+ 'link_settings' => $link_settings,+ 'iterator' => $iterator+ ] );+ $iterator ++;+ }+ } else {+ $html .= '<p class="no-posts-found">' . esc_html__( 'No posts found!', 'essential-addons-for-elementor-lite' ) . '</p>';+ } } } }@@ -323,6 +377,9 @@ if ( $class === '\Essential_Addons_Elementor\Elements\Product_Grid' ) { do_action( 'eael_woo_after_product_loop', $settings['eael_product_grid_style_preset'] ); }+ if ( $class === '\Essential_Addons_Elementor\Elements\Woo_Product_List' ) {+ do_action( 'eael/woo-product-list/after-product-loop' );+ } while ( ob_get_status() ) { ob_end_clean(); }@@ -563,22 +620,26 @@ $settings['eael_widget_id'] = $widget_id; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated wp_parse_str( $_REQUEST['args'], $args );- $args['post_status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] ); - if ( isset( $args['date_query']['relation'] ) ) {- $args['date_query']['relation'] = HelperClass::eael_sanitize_relation( $args['date_query']['relation'] );+ // Convert WP_Query args to WC_Product_Query args if needed+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );++ if ( isset( $wc_args['date_query']['relation'] ) ) {+ $wc_args['date_query']['relation'] = HelperClass::eael_sanitize_relation( $wc_args['date_query']['relation'] ); } $paginationNumber = ! empty( $_POST['number'] ) ? absint( $_POST['number'] ) : 1; $paginationLimit = ! empty( $_POST['limit'] ) ? absint( $_POST['limit'] ) : 10; - $args['posts_per_page'] = $paginationLimit;+ $wc_args['limit'] = $paginationLimit;+ $wc_args['page'] = $paginationNumber; + // Calculate offset for WC_Product_Query if ( $paginationNumber == "1" ) { $paginationOffsetValue = "0"; } else { $paginationOffsetValue = ( $paginationNumber - 1 ) * $paginationLimit;- $args['offset'] = $paginationOffsetValue;+ $wc_args['offset'] = $paginationOffsetValue; } // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated@@ -588,8 +649,19 @@ $template = realpath( $this->get_template( $template_info['file_name'] ) ); ob_start();- $query = new \WP_Query( $args );- if ( $query->have_posts() ) {++ // Use WC_Product_Query for product queries+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ } else {+ $product_objects = $products;+ }++ if ( ! empty( $product_objects ) ) { if ( isset( $template_info['name'] ) && $template_info['name'] === 'eicon-woocommerce' && boolval( $settings['show_add_to_cart_custom_text'] ) ){ $add_to_cart_text = [ 'add_to_cart_simple_product_button_text' => $settings['add_to_cart_simple_product_button_text'],@@ -601,8 +673,11 @@ $this->change_add_woo_checkout_update_order_reviewto_cart_text( $add_to_cart_text ); } - while ( $query->have_posts() ) {- $query->the_post();+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post ); include( $template ); } wp_reset_postdata();@@ -613,6 +688,86 @@ } /**+ * Convert pagination arguments to WC_Product_Query arguments+ * @param array $args Original arguments from pagination+ * @param array $settings Widget settings+ * @return array WC_Product_Query compatible arguments+ */+ private function convert_pagination_args_to_wc_product_query( $args, $settings ) {+ $wc_args = [+ 'paginate' => true,+ 'return' => 'objects',+ ];++ // Map common WP_Query args to WC_Product_Query args+ $arg_mapping = [+ 'posts_per_page' => 'limit',+ 'post_status' => 'status',+ 'post__in' => 'include',+ 'post__not_in' => 'exclude',+ 'author__in' => 'author',+ 'paged' => 'page',+ ];++ foreach ( $arg_mapping as $wp_key => $wc_key ) {+ if ( isset( $args[ $wp_key ] ) ) {+ $wc_args[ $wc_key ] = $args[ $wp_key ];+ }+ }++ // Handle other common args+ if ( isset( $args['orderby'] ) ) {+ $wc_args['orderby'] = $args['orderby'];+ }+ if ( isset( $args['order'] ) ) {+ $wc_args['order'] = $args['order'];+ }+ if ( isset( $args['offset'] ) ) {+ $wc_args['offset'] = $args['offset'];+ }+ if ( isset( $args['s'] ) ) {+ $wc_args['search'] = $args['s'];+ }++ // Handle meta_query and tax_query+ if ( isset( $args['meta_query'] ) ) {+ $wc_args['meta_query'] = $args['meta_query'];+ }+ if ( isset( $args['tax_query'] ) ) {+ $wc_args['tax_query'] = $args['tax_query'];+ }++ // Handle meta_key and meta_value+ if ( isset( $args['meta_key'] ) ) {+ if ( ! isset( $wc_args['meta_query'] ) ) {+ $wc_args['meta_query'] = ['relation' => 'AND'];+ }+ $meta_query = [+ 'key' => $args['meta_key'],+ ];+ if ( isset( $args['meta_value'] ) ) {+ $meta_query['value'] = $args['meta_value'];+ }+ if ( isset( $args['meta_compare'] ) ) {+ $meta_query['compare'] = $args['meta_compare'];+ }+ $wc_args['meta_query'][] = $meta_query;+ }++ // Set product status from settings (handle both Product_Grid and Woo_Product_List)+ if ( ! empty( $settings['eael_product_grid_products_status'] ) ) {+ $wc_args['status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );+ } elseif ( ! empty( $settings['eael_product_list_products_status'] ) ) {+ $wc_args['status'] = array_intersect( (array) $settings['eael_product_list_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );+ }++ // Set visibility+ $wc_args['visibility'] = 'visible';++ return $wc_args;+ }++ /** * Woo Pagination Ajax * Return pagination list for product post type while used Product_Grid widget *@@ -828,9 +983,21 @@ wp_send_json_error(); } - // global $post, $product;+ global $post, $product; $product = wc_get_product( $product_id ); $post = get_post( $product_id );++ // SECURITY FIX: Verify product exists and is visible+ if ( ! $product || ! $product->is_visible() ) {+ wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );+ }++ // Also verify post status for non-admin users+ $post = get_post( $product_id );+ if ( ! current_user_can( 'edit_post', $product_id ) && $post->post_status !== 'publish' ) {+ wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );+ }+ setup_postdata( $post ); $settings = $this->eael_get_widget_settings( $page_id, $widget_id );@@ -986,25 +1153,42 @@ ) ); if ( ! $file_path || 0 !== strpos( $file_path, realpath( $dir_path ) ) ) {- wp_send_json_error( 'Invalid template', 'invalid_template', 400 );+ wp_send_json_error( 'Invalid template', 'invalid_template', '400' ); } $html = ''; if ( $file_path ) {- $query = new \WP_Query( $args );+ // Convert args to WC_Product_Query format for product gallery+ $wc_args = $this->convert_pagination_args_to_wc_product_query( $args, $settings );+ $wc_query = new \WC_Product_Query( $wc_args );+ $products = $wc_query->get_products();++ // Handle WC_Product_Query results+ if ( is_object( $products ) && isset( $products->products ) ) {+ $product_objects = $products->products;+ $found_posts = $products->total;+ $max_num_pages = $products->max_num_pages;+ } else {+ $product_objects = $products;+ $found_posts = count( $products );+ $max_num_pages = 1;+ } - if ( $query->have_posts() ) {+ if ( ! empty( $product_objects ) ) { do_action( 'eael_woo_before_product_loop' ); - while ( $query->have_posts() ) {- $query->the_post();+ // Iterate through WC_Product objects+ foreach ( $product_objects as $product ) {+ global $post;+ $post = get_post( $product->get_id() );+ setup_postdata( $post ); $html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings ] ); }- + do_action( 'eael_woo_after_product_loop' ); - $html .= '<div class="eael-max-page" style="display:none;">'. ceil($query->found_posts / absint( $args['posts_per_page'] ) ) . '</div>';+ $html .= '<div class="eael-max-page" style="display:none;">'. $max_num_pages . '</div>'; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $html;
# Security Analysis Report
## Vulnerability 1
**Vulnerability Existed:** yes
TRUE POSITIVE
**Improper Access Control - CWE-284** - includes/Traits/Ajax_Handler.php [Lines 986-1000]
**Old Code:**
```php
// global $post, $product;
$product = wc_get_product( $product_id );
$post = get_post( $product_id );
setup_postdata( $post );
```
**Fixed Code:**
```php
global $post, $product;
$product = wc_get_product( $product_id );
$post = get_post( $product_id );
// SECURITY FIX: Verify product exists and is visible
if ( ! $product || ! $product->is_visible() ) {
wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );
}
// Also verify post status for non-admin users
$post = get_post( $product_id );
if ( ! current_user_can( 'edit_post', $product_id ) && $post->post_status !== 'publish' ) {
wp_send_json_error( __( 'Product not found or not accessible', 'essential-addons-for-elementor-lite' ) );
}
setup_postdata( $post );
```
**Explanation:**
The original code was vulnerable to unauthorized access. It retrieved a product and post without verifying:
1. Whether the product actually exists
2. Whether the product is visible to the current user
3. Whether non-admin users were attempting to access unpublished posts
The fix adds critical authorization checks:
- Verifies the product object exists and is marked as visible
- For non-admin users, ensures the post status is 'publish' before allowing access
- Returns a proper error response if access is denied
This prevents unauthorized disclosure of draft, pending, or private products.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**Potential Insecure Direct Object Reference (IDOR) / Broken Access Control - CWE-639** - includes/Traits/Ajax_Handler.php [Lines 623-624]
**Old Code:**
```php
$args['post_status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
```
**Fixed Code:**
```php
// Set product status from settings (handle both Product_Grid and Woo_Product_List)
if ( ! empty( $settings['eael_product_grid_products_status'] ) ) {
$wc_args['status'] = array_intersect( (array) $settings['eael_product_grid_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
} elseif ( ! empty( $settings['eael_product_list_products_status'] ) ) {
$wc_args['status'] = array_intersect( (array) $settings['eael_product_list_products_status'], [ 'publish', 'draft', 'pending', 'future' ] );
}
```
**Explanation:**
The fix moves product status filtering into a dedicated helper function and adds null/empty checks. However, the underlying security concern is ambiguous:
- If `$settings` comes from user-controlled input without proper validation, allowing arbitrary status values could expose unpublished products
- The fix uses `array_intersect()` to whitelist allowed statuses, which provides some protection
- Uncertain whether `$settings` is properly sanitized upstream or if this fully mitigates the risk without seeing how settings are populated
The change appears defensive but the complete picture of data flow validation is not visible in this diff.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
--- cache/essential-addons-for-elementor-lite_6.5.5/includes/Traits/Helper.php 2026-01-16 00:20:08.756179307 +0000+++ cache/essential-addons-for-elementor-lite_6.5.6/includes/Traits/Helper.php 2026-01-16 00:21:04.663687785 +0000@@ -186,7 +186,7 @@ $this->add_render_attribute( 'load-more', [ 'data-max-page' => $max_page ] ); } - if ( $args['posts_per_page'] != '-1' ) {+ if ( isset( $args['posts_per_page'] ) && $args['posts_per_page'] != '-1' ) { $this->add_render_attribute( 'load-more-wrap', 'class', 'eael-load-more-button-wrap' ); if ( "eael-dynamic-filterable-gallery" == $this->get_name() ){
Vulnerability Existed: yes
TRUE POSITIVE
Undefined Array Key Access - CWE-1025 - includes/Traits/Helper.php Lines 189
[Old Code]
if ( $args['posts_per_page'] != '-1' ) {
[Fixed Code]
if ( isset( $args['posts_per_page'] ) && $args['posts_per_page'] != '-1' ) {
Explanation:
The original code directly accesses `$args['posts_per_page']` without checking if the key exists in the array. This could result in a PHP Notice/Warning if the key is not set, potentially revealing information about the application's internal structure or causing undefined behavior. In PHP 8.0+, this would generate a notice. The fix adds an `isset()` check to verify the key exists before accessing it, preventing the undefined array key access and following defensive coding practices. This is a type of CWE-1025 (Comparison Using Wrong Factors) or more specifically CWE-690 (Unchecked Return Value to NULL Pointer Dereference), as the code wasn't validating the existence of the array element before use.
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.