CVE-2026-8613: aThemes Elementor Plugin Stored XSS in Posts Widget
The aThemes Addons for Elementor plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in multiple widget components. A WordPress contributor or higher-privilege user can inject malicious JavaScript into page settings that will execute in the browsers of any visitor to that page. The vulnerability exists in the Posts Timeline widget and Posts Carousel widget (across its default, Banner, and Modern variants) due to missing input validation on the 'title_tag' setting. The same plugin's Posts List widget correctly implements this validation, indicating the flaw is inconsistently applied across the codebase.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8613 is a stored XSS vulnerability affecting aThemes Addons for Elementor up to version 1.1.8. The root cause is insufficient input sanitization and output escaping of the 'title_tag' widget setting parameter. The vulnerability is present in the Posts Timeline widget and Posts Carousel widget (including its default, Banner, and Modern skin variants). The Posts List widget in the same plugin correctly uses whitelist validation for the same parameter, demonstrating that the affected widgets lack the necessary security controls. The network-accessible nature, low complexity attack vector, and lack of user interaction requirement result in a CVSS v3.1 score of 6.4 (Medium). Exploitation requires authenticated access at contributor level or above, limiting the immediate threat surface but still significant for multi-user WordPress installations.
Business impact
For WordPress sites using aThemes Addons for Elementor, this vulnerability creates a persistent content injection risk from privileged users. Compromised contributor accounts—whether through weak credentials, supply chain compromise, or insider threat—can inject malware, credential-stealing forms, or malicious redirects into public pages. This affects site reputation, visitor trust, and compliance with content integrity requirements. Multi-author publishing platforms and agencies managing client sites face elevated risk since any contributor can exploit this flaw. The stored nature of the attack means the payload persists across page reloads and cache cycles, maximizing dwell time and exposure.
Affected systems
The vulnerability affects aThemes Addons for Elementor in all versions up to and including 1.1.8. It impacts the Posts Timeline widget and Posts Carousel widget across all its presentation modes (default, Banner, and Modern skins). Any WordPress installation with this plugin version and user accounts at contributor level or above is at risk. The Posts List widget in the same plugin is not vulnerable because it correctly implements whitelist validation.
Exploitability
Exploitation requires an authenticated WordPress user account with at least contributor-level privileges. No user interaction (such as social engineering or phishing) is needed beyond account compromise—the injected script executes automatically when site visitors access the affected page. The attack is straightforward: edit a widget title_tag field, inject JavaScript, publish, and the payload persists. The low complexity and lack of user interaction requirement are reflected in the CVSS score. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but the simplicity and persistence of stored XSS attacks make it an attractive target for opportunistic attackers.
Remediation
Update aThemes Addons for Elementor to a patched version that addresses the input sanitization and output escaping gap. Verify the available patch version against the aThemes plugin repository or vendor advisory. As an interim measure, restrict contributor-level access to only trusted users and monitor page revisions and widget edits for suspicious changes. Consider using WordPress security plugins that detect and flag stored XSS payloads in post meta and widget settings. For high-risk sites, disable the affected Posts Timeline and Posts Carousel widgets until patching is complete.
Patch guidance
Locate the aThemes Addons for Elementor plugin in your WordPress admin dashboard under Plugins. Check for available updates; the patched version should address the insufficient sanitization of the 'title_tag' parameter in the Posts Timeline and Posts Carousel widgets. If updates are available, apply them after testing in a staging environment. Verify the update resolves the vulnerability by checking the aThemes changelog or vendor advisory documentation. If no update is currently available, contact aThemes support for an estimated patch timeline. After patching, audit recent edits to any pages using the affected widgets to confirm no malicious payloads were injected during the window of vulnerability.
Detection guidance
Review WordPress post meta and widget settings for the Posts Timeline and Posts Carousel widgets for unexpected script tags or encoded JavaScript in the 'title_tag' field. Use WordPress audit plugins or manual database queries to inspect widget settings for HTML event handlers (onload, onerror, etc.) or <script> tags. Monitor WordPress user activity logs for contributor-level accounts creating or editing pages containing these widgets, especially outside business hours or by users not typically responsible for those pages. Check your Web Application Firewall (WAF) or WordPress security plugin logs for attempts to inject scripts into widget settings. Examine page source code and network traffic from affected pages for unexpected JavaScript execution.
Why prioritize this
This vulnerability warrants medium priority in patch scheduling. While it requires authenticated access (reducing opportunistic exploitation), contributor accounts are often shared, delegated to contractors, or compromised through credential leaks. The stored nature of the payload means once injected, it affects every site visitor without additional effort, creating persistent business and reputation risk. Organizations with multiple contributors or those managing client sites should prioritize patching before lower-privilege user management updates. If your site has had recent suspicious contributor account activity or unauthorized page changes, prioritize this patch as a potential indicator of compromise.
Risk score, explained
The CVSS v3.1 score of 6.4 (Medium) reflects a network-accessible vulnerability with low attack complexity and low privileges required (contributor-level), but no user interaction needed and limited scope expansion. The confidentiality and integrity impacts are low because the attacker can only inject content into specific widget parameters, not access arbitrary database records or gain system-level control. The lack of availability impact (no denial of service) and the requirement for prior authentication prevent a higher score. In practice, the risk is elevated for multi-user sites and organizations where contributor accounts are numerous or delegated, but lower for single-author blogs with strict access controls.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated attackers?
No. The vulnerability requires an authenticated WordPress user account with at least contributor-level privileges. An attacker must either compromise a legitimate account or be granted contributor access directly. However, contributor credentials are often less tightly guarded than admin credentials and may be shared across multiple users or contractors.
Does every WordPress site with this plugin version have the same risk?
Not equally. Sites with more contributors, agencies managing multiple client sites, or those with weaker access controls face higher risk. Single-author blogs or those with tightly managed contributor lists have a smaller attack surface. Sites that have already restricted contributor permissions to only HTML-safe content have some protection, but the vulnerability still exists at the plugin level.
Why is the Posts List widget not vulnerable while Posts Carousel is?
The Posts List widget correctly implements whitelist validation for the 'title_tag' parameter, whereas Posts Carousel and Posts Timeline omit this check. This suggests the vulnerable widgets were either developed by different team members without knowledge of the secure pattern, or the validation was added to Posts List in a later iteration without being backported to the other widgets. It's a common occurrence in plugin development where security measures are inconsistently applied.
What should I do if I've found malicious scripts in a widget already?
Immediately remove the malicious content from the affected widget and publish the page again to clear the stored payload from site visitors' browsers. Review your WordPress audit logs to determine when the injection occurred and which user account made the change. If the account was compromised, force a password reset and check for other unauthorized edits. Consider restoring from a clean backup if multiple pages were affected and you cannot verify the scope of injection.
This analysis is provided for informational purposes to help security teams prioritize and understand this vulnerability. The information reflects the state of the vulnerability as of the publication date. Patch versions, affected product lines, and vendor guidance may change; always verify current information against official vendor advisories and security bulletins before taking remediation action. SEC.co does not provide legal advice or guarantee the completeness or accuracy of third-party vendor disclosures. Organizations should conduct their own risk assessment and testing in accordance with their change management and business continuity policies. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings