Stored Cross-Site Scripting Vulnerability in JetWidgets for Elementor Plugin by WordPress
CVE-2026-11380

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
1 July 2026

What is CVE-2026-11380?

The JetWidgets for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerabilities in versions up to 1.0.21. This security flaw arises from inadequate output escaping and a lack of server-side validation for the animation_effect setting in the Animated Box widget. Authenticated users with author-level access or higher can exploit this vulnerability to inject arbitrary web scripts into rendered pages, leading to potential exploitation whenever users access these compromised pages.

Affected Version(s)

JetWidgets For Elementor 0 <= 1.0.21

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn (Jitlada)
.