{
  "parent_cve": "CVE-2026-11380",
  "parent_sink": "Jet_Widgets_Base::__html() renders animation_effect raw into the Animated Box class attribute",
  "variant_sink": "Jet_Widgets_Base::__loop_item() renders features_list item_text raw into the Pricing Table feature text span",
  "shared_root_cause": "Widget setting values are printed through Jet_Widgets_Base helper methods (__html / __loop_item) without output escaping or server-side validation, allowing stored values to be emitted verbatim into the rendered page.",
  "same_trust_boundary": true,
  "same_attacker_capability": true,
  "same_impact_class": "stored cross-site scripting (XSS) via authenticated author-level access",
  "same_affected_product": "jetwidgets-for-elementor",
  "different_entry_point": true,
  "different_widget": true,
  "different_setting": true,
  "different_helper": "__loop_item() instead of __html()",
  "fix_does_not_cover_variant": true,
  "notes": "The vendor's 1.0.22 fix added allow-list validation and esc_attr() for the Animated Box animation_effect and the Pricing Table button controls, but left __loop_item() and the features-loop-item.php template unchanged. The variant therefore reaches the same stored XSS impact through a different widget, setting, and helper method, and reproduces on the patched release."
}
