Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Patch
AI Analysis

Impact

The plugin contains a stored cross-site scripting flaw that allows an attacker to insert malicious JavaScript into content fields that are later rendered on visitor pages. If exploited, the script runs in the browser context of any user viewing the affected page, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. This poses a significant risk to confidentiality, integrity, and availability for sites that publish content through the widget or editor.

Affected Systems

The vulnerability impacts the WPBITS Addons For Elementor Page Builder plugin supplied by wpbits. Any installation of version 1.8.1 or earlier is susceptible; later versions are presumed fixed. Sites using this plugin on WordPress are at risk.

Risk and Exploitability

The likely attack vector involves an authenticated or otherwise privileged user submitting malicious content via the plugin’s editor or widget fields, which is stored and later rendered to all visitors. No EPSS score or KEV status is available, but stored XSS is generally considered a severe risk due to its ability to affect every page visitor without additional action. The absence of a public patch in the CVE record indicates that updating to a version newer than 1.8.1 is necessary; until such a patch is applied, the vulnerability remains exploitable.

Generated by OpenCVE AI on April 8, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBITS Addons For Elementor Page Builder to a version newer than 1.8.1 if available.
  • If an update is not immediately available, consider disabling the plugin or removing untrusted widget content.
  • Check the vendor’s website or support channels for new patches or advisories.

Generated by OpenCVE AI on April 8, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbits
Wpbits wpbits Addons For Elementor Page Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpbits
Wpbits wpbits Addons For Elementor Page Builder

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.
Title WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.8.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpbits Wpbits Addons For Elementor Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:47.201Z

Reserved: 2026-04-07T10:58:22.475Z

Link: CVE-2026-39703

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:42.950

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:16Z

Weaknesses