Stored Cross-Site Scripting in Premium Addons for Elementor Plugin by WordPress
CVE-2026-4790

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Premium Addons For Elementor – Powerful Elementor Templates & Widgets
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-4790?

The Premium Addons for Elementor plugin for WordPress contains a vulnerability that allows authenticated contributors and above to execute arbitrary web scripts through the 'custom_svg' parameter. This occurs due to inadequate input sanitization and output escaping, posing a risk to users accessing pages that have been compromised.

Affected Version(s)

Premium Addons for Elementor – Powerful Elementor Templates & Widgets 0 <= 4.11.70

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3495451/prem...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 24, 2026

Credit

Fernando Mecozzi

CVE-2026-4790 Data

JSON