Description
The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Prime Elementor Addons plugin for WordPress is impacted by a stored cross‑site scripting flaw (CWE‑79). During widget creation, the plugin accepts HTML tag settings without adequate sanitization or escaping, allowing an authenticated contributor or higher to inject malicious script payloads that lack angle brackets and therefore bypass Elementor’s wp_kses_post() filter. The injected code executes in the browsers of any user who views the affected page, potentially exposing page visitors to phishing, cookie theft, or arbitrary code execution.

Affected Systems

All WordPress installations running Prime Elementor Addons version 1.3.3 or earlier are affected. The plugin is published by wpmessiah under the name Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages.

Risk and Exploitability

The vulnerability scores a CVSS of 6.4, indicating moderate severity. Although no EPSS score is publicly available, the requirement of contributor‑level access limits the attacker set to users with editing rights. The flaw is not listed in the CISA KEV catalog. An attacker with appropriate permissions can inject scripts that will run in the browsers of all site visitors, compromising confidentiality and integrity of the site content.

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prime Elementor Addons to version 1.3.4 or newer, which removes the flawed widget HTML tag settings logic
  • Limit contributor accounts to roles that do not have the capability to edit widgets, or remove contributors that are not required to edit Elementor widgets
  • Block or strip potentially dangerous content using a security plugin before saving widget settings to provide a temporary safeguard

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Traits/PostGridRenderer.php#L164 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/AdvancedAccordion.php#L1396 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/CallToAction.php#L1631 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/Counter.php#L1079 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/InfoBox.php#L1623 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/InfoBox.php#L1645 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/TeamMember.php#L2638 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Traits/PostGridRenderer.php#L164 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/AdvancedAccordion.php#L1396 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/CallToAction.php#L1631 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/Counter.php#L1079 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/InfoBox.php#L1623 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/InfoBox.php#L1645 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/TeamMember.php#L2638 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?old_path=unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.3&new_path=unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.4 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/95136083-58d7-4ee4-b894-6910c3992d20?source=cve cve-icon cve-icon
History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmessiah
Wpmessiah prime Elementor Addons – Lightweight Elementor Widgets For Faster Pages
Vendors & Products Wordpress
Wordpress wordpress
Wpmessiah
Wpmessiah prime Elementor Addons – Lightweight Elementor Widgets For Faster Pages

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.
Title Prime Elementor Addons <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpmessiah Prime Elementor Addons – Lightweight Elementor Widgets For Faster Pages
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T15:13:07.255Z

Reserved: 2026-05-15T13:20:51.029Z

Link: CVE-2026-8677

cve-icon Vulnrichment

Updated: 2026-06-09T15:02:27.057Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T09:16:31.310

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T09:56:57Z

Weaknesses