Description
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-07-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetWidgets For Elementor for WordPress contains a stored cross‑site scripting flaw when the Animated Box widget’s animation_effect option is saved. The plugin does not escape or validate this value before injecting it into an HTML class attribute. As a result, an attacker with author or higher privileges can insert arbitrary JavaScript that will run whenever anyone views the edited page. Based on the description, it is inferred that this injected script could compromise the confidentiality, integrity and availability of users who access the affected content.

Affected Systems

Any WordPress site that has JetWidgets For Elementor installed, version 1.0.21 or earlier, is vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate to high severity. The EPSS score is not available, so the latest statistical likelihood of exploitation cannot be quantified. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires authenticated author‑level access; the attack vector is not remote but relies on legitimate WordPress privileges. Because malicious scripts execute on page load, it is inferred that the potential damage in terms of data theft or session hijacking could be significant for the site’s user base.

Generated by OpenCVE AI on July 1, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetWidgets For Elementor to a version newer than 1.0.21
  • If an upgrade is not immediately available, remove or disable the Animated Box widget or reset its animation_effect setting to a safe value
  • Restrict author‑level and higher roles to only trusted users and review page‑edit permissions
  • Apply Content Security Policy headers that restrict execution of inline scripts

Generated by OpenCVE AI on July 1, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetmonsters
Jetmonsters jetwidgets For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Jetmonsters
Jetmonsters jetwidgets For Elementor
Wordpress
Wordpress wordpress

Wed, 01 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title JetWidgets For Elementor <= 1.0.21 - Authenticated (Author+) Stored Cross-Site Scripting via Animated Box 'animation_effect' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Jetmonsters Jetwidgets For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:42:10.679Z

Reserved: 2026-06-05T12:53:14.413Z

Link: CVE-2026-11380

cve-icon Vulnrichment

Updated: 2026-07-01T10:33:33.111Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T14:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')