Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
Published: 2026-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Themesflat Add‑ons for Elementor WordPress plugin. The plugin fails to neutralize user‑supplied input during page rendering, enabling an attacker to embed malicious JavaScript that will execute in the browsers of anyone who views a page that includes the tainted content. This can lead to session hijacking, defacement, and redirection, compromising the confidentiality and integrity of site users.

Affected Systems

WordPress sites running the Themesflat Add‑ons for Elementor plugin from any version up to and including 2.3.2 are affected. The product is offered by Themesflat under the name "themesflat-addons-for-elementor."

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an EPSS score of less than 1 %, signifying a low probability of exploitation. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker submitting malicious input via the plugin’s content or custom widget features; the stored script is then rendered to site visitors when the affected pages are displayed.

Generated by OpenCVE AI on April 13, 2026 at 21:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Themesflat Add‑ons for Elementor plugin to version 2.3.3 or later.
  • If an update is not immediately possible, consider temporarily disabling or removing the plugin until a patch is applied.

Generated by OpenCVE AI on April 13, 2026 at 21:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Themesflat
Themesflat themesflat Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Themesflat
Themesflat themesflat Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
Title WordPress themesflat-addons-for-elementor plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Themesflat Themesflat Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T18:51:37.272Z

Reserved: 2026-04-07T10:47:43.844Z

Link: CVE-2026-39500

cve-icon Vulnrichment

Updated: 2026-04-13T18:51:34.423Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:24.230

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:00Z

Weaknesses