Stored Cross-Site Scripting Vulnerability in News Kit Addons for Elementor by WordPress
CVE-2026-11390
6.4MEDIUM
What is CVE-2026-11390?
The News Kit Addons for Elementor plugin for WordPress has a security flaw that allows authenticated attackers with contributor-level or higher access to exploit stored cross-site scripting vulnerabilities via the Site Logo Title and Single Author Box widgets. Due to insufficient sanitization and output escaping, attackers can inject arbitrary web scripts into pages viewed by users. Exploitation requires the attacker to manipulate the elementor_ajax AJAX save request, effectively bypassing client-side restrictions to submit malicious tag-name values. This vulnerability can lead to significant security risks, allowing for the unauthorized execution of scripts on user devices.
Affected Version(s)
News Kit Addons For Elementor 0 <= 1.4.6