Stored Cross-Site Scripting in Elementor Kits & Patterns Plugin for WordPress
CVE-2026-6565

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Style Kits For Elementor
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-6565?

The Style Kits – Advanced Theme Styles for Elementor plugin suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output management. Specifically, this flaw is present in the '/wp-json/agwp/v1/tokens/save' endpoint, where unvalidated kit title parameters can be exploited by authenticated users with contributor-level access or higher. An attacker could inject malicious web scripts, leading to unauthorized script execution whenever the compromised page is accessed by any user.

Affected Version(s)

Style Kits for Elementor 0 <= 2.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3530172/anal...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 18, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-6565 Data

JSON