Description
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the ElementsKit Elementor Addons and Templates plugin for WordPress. The short‑tab widget accepts an "ekit_tab_title" value that is stored without proper sanitization or escaping. When a page containing the tab is viewed by any user, the injected script runs in their browser, enabling the attacker to steal credentials, perform actions on the victim’s behalf, or compromise site integrity. The weakness is described by CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The impacted product is ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor, supplied by roxnor. All releases up to and including version 3.7.9 are vulnerable. Versions 3.8.0 and newer contain the fix and therefore are not affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog, suggesting low current exploitation prevalence. However, the flaw requires only authenticated contributor access, a privilege commonly granted to site editors, and affects any visitor who views the malicious tab. Consequently, an attacker with contributor rights can compromise user sessions and the site’s reputation with minimal effort.

Generated by OpenCVE AI on April 4, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the current ElementsKit plugin version on the WordPress dashboard.
  • If the version is 3.7.9 or earlier, update the plugin to 3.8.0 or newer as soon as possible.
  • Verify that the tab widget no longer accepts or displays malicious scripts after the update.
  • Consider revoking contributor or higher-level access from untrusted users until the update is applied, or add a double‑check on tab titles before saving.
  • Monitor site activity and error logs for any attempts to inject scripts after the patch.
  • If an update cannot be applied immediately, disable or remove the Simple Tab widget from publicly accessible pages until a fix is available.

Generated by OpenCVE AI on April 4, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Roxnor Elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:11.732Z

Reserved: 2026-02-16T20:54:31.358Z

Link: CVE-2026-2600

cve-icon Vulnrichment

Updated: 2026-04-06T15:30:09.081Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T08:16:06.370

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-2600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:00Z

Weaknesses