Stored Cross-Site Scripting in Premium Addons for Elementor by WordPress
CVE-2026-12141

4.9MEDIUM

What is CVE-2026-12141?

The Premium Addons for Elementor plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting (XSS) via the 'premium_tooltip_text' parameter. This issue arises from inadequate input sanitization and output escaping, enabling authenticated attackers with contributor-level access and higher to inject malicious web scripts into pages. The attack is triggered when a user with administrative privileges opens a compromised post within the Elementor editor, causing the injected payload to execute through unescaped output in the print_template() method. This vulnerability can effectively lead to unauthorized actions being performed on behalf of the user, particularly affecting how Elementor handles certain inputs.

Affected Version(s)

Premium Addons for Elementor – Powerful Elementor Templates & Widgets 0 <= 4.11.84

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chloe Chamberland
PRISM
.