Stored Cross-Site Scripting Vulnerability in Prime Elementor Addons Plugin for WordPress
CVE-2026-8677

6.4MEDIUM

What is CVE-2026-8677?

The Prime Elementor Addons plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access or higher to exploit Stored Cross-Site Scripting through the Widget HTML Tag Settings. Due to inadequate input sanitization and output escaping, attackers can introduce malicious scripts into pages, which execute when users visit those affected pages. This vulnerability specifically circumvents security measures by allowing payloads that do not utilize HTML angle brackets, thus bypassing Elementor's wp_kses_post() filter during the saving process.

Affected Version(s)

Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages 0 <= 1.3.3

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Romain Deperne
.