Stored Cross-Site Scripting Vulnerability in Prime Elementor Addons Plugin for WordPress
CVE-2026-8677
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 June 2026
What is CVE-2026-8677?
The Prime Elementor Addons plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access or higher to exploit Stored Cross-Site Scripting through the Widget HTML Tag Settings. Due to inadequate input sanitization and output escaping, attackers can introduce malicious scripts into pages, which execute when users visit those affected pages. This vulnerability specifically circumvents security measures by allowing payloads that do not utilize HTML angle brackets, thus bypassing Elementor's wp_kses_post() filter during the saving process.
Affected Version(s)
Prime Elementor Addons β Lightweight Elementor Widgets for Faster Pages 0 <= 1.3.3