Stored Cross-Site Scripting Vulnerability in Animation Addons for Elementor Plugin
CVE-2026-15299

6.4MEDIUM

What is CVE-2026-15299?

The Animation Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability through the 'weather_style' and 'move_direction' parameters of the Weather widget. This issue arises due to inadequate output escaping in the render() function, allowing an authenticated attacker with Contributor-level access or above to inject malicious scripts. These scripts are stored and executed without proper sanitization whenever the affected page is visited. Users leveraging the Weather widget with OpenWeatherMap API integration are particularly at risk, as the payloads are rendered unescaped, compromising the security of the site.

Affected Version(s)

Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates 0 <= 2.6.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.