Stored Cross-Site Scripting Vulnerability in Animation Addons for Elementor Plugin
CVE-2026-15299
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15299?
The Animation Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability through the 'weather_style' and 'move_direction' parameters of the Weather widget. This issue arises due to inadequate output escaping in the render() function, allowing an authenticated attacker with Contributor-level access or above to inject malicious scripts. These scripts are stored and executed without proper sanitization whenever the affected page is visited. Users leveraging the Weather widget with OpenWeatherMap API integration are particularly at risk, as the payloads are rendered unescaped, compromising the security of the site.
Affected Version(s)
Animation Addons for Elementor β GSAP Motion Elementor Addons & Website Templates 0 <= 2.6.3