Description
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows authenticated WordPress users with contributor or higher privilege in the Premium Addons for Elementor plugin to inject arbitrary JavaScript through the 'custom_svg' parameter. Stored cross‑site scripting means the malicious code is saved within the plugin’s content and executed whenever any site user views the affected page. This can lead to session hijacking, credential theft, defacement, or other client‑side attacks on visitors drawing from the compromised site.

Affected Systems

WordPress sites running the leap13 Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin, versions 4.11.70 or earlier. No other vendors or products are affected according to the provided CNA data.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as moderate; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only contributor‑level access or higher, making it relatively easy for an attacker who has already gained credentials or has compromised the site’s admin account to inject malicious scripts by uploading a custom SVG. The impact is confined to site visitors who trigger the injected page, but the effect can be widespread across all users of the affected WordPress installation.

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Premium Addons for Elementor plugin to the latest version (4.11.71 or newer) to remove the stored XSS vulnerability.
  • If an upgrade is not immediately possible, delete or sanitize any custom SVG content that has been injected and remove or replace the affected page(s) with clean content.
  • Revoke contributor or higher privileges from accounts that are not explicitly required for content editing, or restrict the 'custom_svg' capability until the plugin is updated.

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Premium Addons for Elementor <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:10.577Z

Reserved: 2026-03-24T21:08:44.153Z

Link: CVE-2026-4790

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:16.613

Modified: 2026-05-02T12:16:16.613

Link: CVE-2026-4790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses