Stored Cross-Site Scripting Vulnerability in aThemes Addons for Elementor Plugin
CVE-2026-8613
6.4MEDIUM
What is CVE-2026-8613?
The aThemes Addons for Elementor plugin for WordPress has a vulnerability that allows authenticated attackers, with contributor-level access or higher, to inject malicious web scripts through the 'title_tag' Widget Setting. This issue arises from inadequate input sanitization and output escaping, affecting features such as the Posts Timeline and Posts Carousel widgets. As a result, any user accessing a page with the exploited widget may inadvertently trigger the execution of the injected scripts, potentially compromising user data and site integrity.
Affected Version(s)
aThemes Addons for Elementor 0 <= 1.1.8