Description
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves a stored XSS flaw through the 'sg_content_number_prefix' shortcode attribute in Jeg Kit for Elementor. WordPress users with contributor or higher privileges can inject arbitrary scripts that will run in any browser that views the affected page. This flaw is a classic input validation weakness (CWE‑79).

Affected Systems

The exploit targets the Jeg Kit for Elementor WordPress plugin from JegTheme. All versions up to and including 3.1.0 are susceptible. No other products or vendors are listed.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating substantial risk when exploited. While no EPSS score is provided and it is not found in the CISA KEV catalog, the need for privileged but non‑admin access lowers the barrier for an attacker within a compromised site. An attacker with contributor rights could inject user‑visible script via the shortcode, affecting all site visitors who load the malicious page. The vulnerability is therefore moderately high with respect to exploitability and impact, especially on sites that allow user‑generated content through the plugin.

Generated by OpenCVE AI on May 2, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jeg Kit for Elementor to a version newer than 3.1.0 where the input is properly sanitized and escaped.
  • If an immediate update is not possible, remove or disable the 'sg_content_number_prefix' functionality or restrict contributor role from creating or editing the plugin’s content elements.
  • Verify that users with contributor privileges cannot execute arbitrary scripts by testing the shortcode or employing security scanners.

Generated by OpenCVE AI on May 2, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Jeg Kit for Elementor <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T05:29:28.104Z

Reserved: 2026-04-23T15:55:36.551Z

Link: CVE-2026-6916

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T06:16:04.490

Modified: 2026-05-02T06:16:04.490

Link: CVE-2026-6916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses