CVE-2026-3034 – The OoohBoi Steroids for Elementor WordPress pl... (How to Fix)

Q: What is the severity of CVE-2026-3034?

CVE-2026-3034 has a CVSS score of 6.4 (MEDIUM). The OoohBoi Steroids for Elementor WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into web pages. These scripts execute when users click on the injected elements, potentially compromising user sessions or redirecting to malicious sites. This affects all versions up to and including 2.1.24.

📋 TL;DR

The OoohBoi Steroids for Elementor WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into web pages. These scripts execute when users click on the injected elements, potentially compromising user sessions or redirecting to malicious sites. This affects all versions up to and including 2.1.24.

💻 Affected Systems

Products:

OoohBoi Steroids for Elementor WordPress plugin

Versions: All versions up to and including 2.1.24

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor plugin installed. Vulnerability is present in default plugin configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, perform session hijacking, redirect users to phishing sites, or deface websites by injecting malicious content.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal user cookies or session tokens when clicked, potentially compromising user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access (Contributor role or higher). The vulnerability is in JavaScript files that handle URL parameters without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.25 or later

Vendor Advisory: https://wordpress.org/plugins/ooohboi-steroids-for-elementor/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'OoohBoi Steroids for Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.1.25+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily disable or remove the vulnerable plugin until patched version is available

wp plugin deactivate ooohboi-steroids-for-elementor
wp plugin delete ooohboi-steroids-for-elementor

Restrict user roles

all

Temporarily restrict Contributor-level access or implement additional monitoring for users with editing privileges

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in URL parameters
Add Content Security Policy (CSP) headers to restrict script execution sources

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins. Look for OoohBoi Steroids for Elementor version 2.1.24 or earlier.

Check Version:

wp plugin get ooohboi-steroids-for-elementor --field=version

Verify Fix Applied:

Verify plugin version is 2.1.25 or later. Test that URL parameters _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests containing script tags or JavaScript in URL parameters
Multiple failed login attempts followed by successful contributor-level access

Network Indicators:

HTTP requests with suspicious script payloads in _ob_spacerat_link, _ob_bbad_link, or _ob_teleporter_link parameters

SIEM Query:

source="wordpress" AND (url="*_ob_spacerat_link=*script*" OR url="*_ob_bbad_link=*script*" OR url="*_ob_teleporter_link=*script*")

📊 Metadata

CVE ID: CVE-2026-3034

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: March 5, 2026

Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3034, you might also want to check these: