Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.

This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Tim Strifler Exclusive Addons Elementor plugin that allows attackers to inject malicious JavaScript into the plugin’s content fields. When that content is rendered on a user’s browser, the injected script executes with the privileges of the visiting user, enabling defacement, credential theft, or session hijacking. The weakness corresponds to CWE‑79 and can affect the confidentiality, integrity, and availability of site visitors.

Affected Systems

All releases of the WordPress Exclusive Addons Elementor plugin up to and including version 2.7.9.8 are affected. The product is a WordPress extension by Tim Strifler that provides additional widgets for the Elementor page builder, allowing site administrators to store arbitrary content that is later rendered on public pages.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk level. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker with access to the Elementor admin interface who can input malicious code into widget content. Once installed, the code runs in the context of any visitor to the affected page, making the vulnerability meaningful to attackers and potentially exploitable through common web‑application attack workflows.

Generated by OpenCVE AI on June 26, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Update the WordPress Exclusive Addons Elementor Plugin to the latest available version (at least 2.7.9.9).

OpenCVE Recommended Actions

  • Update the Exclusive Addons Elementor plugin to version 2.7.9.9 or later, the first release that patches the XSS flaw.
  • After upgrading, audit all pages and widgets created with the plugin for any remaining malicious scripts and remove or sanitize them before publishing further content.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the attack surface until the patch is available.

Generated by OpenCVE AI on June 26, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.
Title WordPress Exclusive Addons Elementor plugin <= 2.7.9.8 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:19:55.180Z

Reserved: 2026-06-25T08:03:02.838Z

Link: CVE-2026-57620

cve-icon Vulnrichment

Updated: 2026-06-26T20:19:50.600Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T14:00:22Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')