Description
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated contributors or higher to inject arbitrary JavaScript into pages
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists in the Info Box widget of the Essential Addons for Elementor plugin for WordPress. Unsanitized user input and missing output escaping enable an authenticated user with contributor-level access to embed malicious scripts. These scripts run in the context of any user who visits a page that includes the compromised widget, exposing the site to cross‑site scripting attacks.

Affected Systems

WordPress sites that use the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin, particularly versions up to and including 6.5.9. All installations of the plugin that have not upgraded to version 6.5.10 or later are potentially affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The low EPSS score of less than 1% suggests that exploitation is currently unlikely at scale, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only contributor‑level or higher authentication, which is a common capability on many WordPress sites. An attacker can inject arbitrary JavaScript that executes when a victim view the injected page, potentially leading to credential theft, session hijack, defacement, or other malicious actions.

Generated by OpenCVE AI on April 15, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Essential Addons for Elementor to version 6.5.10 or later
  • If an upgrade cannot be applied immediately, disable the Info Box widget for contributor roles to prevent the vulnerable code from executing
  • Sanitize and escape all user supplied attributes in the Info Box widget to ensure proper output handling

Generated by OpenCVE AI on April 15, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets

Sat, 14 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Essential Addons For Elementor – Popular Elementor Templates & Widgets
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:18.987Z

Reserved: 2026-01-27T22:58:33.198Z

Link: CVE-2026-1512

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:22.890Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T10:16:06.627

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses