Stored Cross-Site Scripting in Premium Addons for Elementor by WordPress
CVE-2026-12141
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-12141?
The Premium Addons for Elementor plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting (XSS) via the 'premium_tooltip_text' parameter. This issue arises from inadequate input sanitization and output escaping, enabling authenticated attackers with contributor-level access and higher to inject malicious web scripts into pages. The attack is triggered when a user with administrative privileges opens a compromised post within the Elementor editor, causing the injected payload to execute through unescaped output in the print_template() method. This vulnerability can effectively lead to unauthorized actions being performed on behalf of the user, particularly affecting how Elementor handles certain inputs.
Affected Version(s)
Premium Addons for Elementor β Powerful Elementor Templates & Widgets 0 <= 4.11.84