MEDIUM 6.4

CVE-2026-8677: Stored XSS in Prime Elementor Addons WordPress Plugin (v1.3.3)

Prime Elementor Addons, a WordPress plugin for building pages with Elementor, has a stored cross-site scripting (XSS) vulnerability that allows contributors and higher-privileged users to inject malicious scripts into pages. When other users view those pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive information. The vulnerability persists through versions up to 1.3.3 because the plugin fails to properly sanitize widget HTML settings before storing them.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.

16 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8677 is a Stored XSS vulnerability in Prime Elementor Addons affecting Widget HTML Tag Settings. The flaw stems from insufficient input sanitization and output escaping. Notably, the vulnerability exploits a bypass of Elementor's wp_kses_post() filter: payloads without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass through the filter unchanged at save time because wp_kses_post() does not strip event handlers in attribute contexts. This allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript that persists in the database and executes in the browsers of all page visitors, regardless of their own unfiltered_html capability.

Business impact

Organizations relying on Prime Elementor Addons face a direct risk to their WordPress site integrity and user security. Compromised pages can redirect users, harvest credentials, deface content, or inject malicious downloads. The vulnerability is particularly dangerous because it affects authenticated users who are often trusted operationally—meaning a disgruntled contributor or a compromised contributor account becomes a vector for persistent site-wide attacks. Any multi-user WordPress environment using this plugin should treat this as a priority containment issue.

Affected systems

Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin through version 1.3.3 for WordPress. The plugin is installed and activated on WordPress sites that use Elementor page building. Any WordPress environment with the plugin active and users granted contributor-level or administrative access is in scope. Users with lower privileges (subscribers, authors without the unfiltered_html cap) cannot directly exploit this, but they may be targets of injected content.

Exploitability

Exploitability is moderate-to-high within environments where contributor-level access exists. An attacker needs WordPress authentication at contributor level or above, but does not need administrative privileges or the unfiltered_html capability. Once authenticated, the exploit is straightforward: inject a crafted payload (such as an img tag with an onerror event handler) into a widget's HTML setting, save the page, and the payload persists and executes for all site visitors. No user interaction beyond visiting the page is required. However, the attack is limited to those with initial widget editing access; it is not a zero-day or unauthenticated vector.

Remediation

Update Prime Elementor Addons to a version patched after 1.3.3 as soon as the vendor releases a fix. Until a patch is available, restrict contributor-level access strictly to trusted personnel, disable the plugin if it is non-critical, or manually audit all pages and widgets created or modified by contributors to remove suspicious HTML payloads. Implement capability restrictions so that only administrators can edit widget HTML settings if the plugin supports such controls.

Patch guidance

Monitor the Prime Elementor Addons plugin repository and vendor advisories for a patched version beyond 1.3.3. When available, apply the update immediately via the WordPress admin panel or command line. Verify the fix in release notes to confirm that input sanitization and output escaping for Widget HTML Tag Settings have been enhanced. Test the patched version in a staging environment first to ensure compatibility with existing page content.

Detection guidance

Search WordPress page and post post_content fields in the database for suspicious HTML or JavaScript patterns in Elementor widget data—specifically look for onerror, onclick, onload, and other event handlers embedded in img, script, iframe, or object tags. Review WordPress user audit logs for unexpected widget edits by contributor or author accounts, especially after hours or from unfamiliar locations. Monitor browser console errors and network logs for unexpected script execution on pages using Prime Elementor Addons widgets. Use a WordPress security plugin with XSS detection capabilities to scan widget configurations.

Why prioritize this

Although the CVSS score is 6.4 (MEDIUM), the practical risk is elevated because this is a Stored XSS affecting all site visitors and requires only user-level authentication to exploit. The persistent nature of stored XSS makes it especially dangerous—the payload remains live until manually removed. For multi-user or public-facing WordPress sites, this should be treated as a high-priority containment and remediation issue, especially if contributor accounts are in use.

Risk score, explained

The CVSS 3.1 score of 6.4 reflects Medium severity because the attack vector is network (reachable remotely), requires low complexity, requires authenticated access (contributor-level), involves no user interaction at exploit time, and impacts confidentiality and integrity across scope (other users' sessions). However, stored XSS poses greater real-world risk than reflected by the baseline score: persistence, broad impact across all visitors, and the common operational practice of granting contributor access to content teams all increase incident severity. Organizations should factor in their own risk tolerance for stored cross-site scripting when deciding priority.

Frequently asked questions

Can a subscriber or unauthenticated user exploit this vulnerability?

No. The vulnerability requires at least contributor-level WordPress authentication. Subscribers and unauthenticated users cannot directly inject the payload, but they are victims—their browsers will execute the injected scripts when they visit compromised pages.

Why does the payload bypass Elementor's wp_kses_post() filter?

The wp_kses_post() function is designed to strip dangerous HTML tags and attributes, but it does not filter event handlers that are part of attribute values in certain contexts. A payload like 'img src=x onerror=alert(...)' contains no angle brackets in the img tag itself and may pass through if the filter configuration does not explicitly handle onerror attributes in that context. Prime Elementor's implementation fails to add output escaping to prevent the browser from interpreting these event handlers.

What should I do if I find malicious widget content in my site?

Immediately edit the affected page/widget in Elementor, remove the malicious payload, and save. Search other pages for similar patterns using the detection guidance provided. Review access logs to identify which user account injected the content and determine if the account has been compromised. Consider rotating credentials and checking for other unauthorized changes.

Will updating the plugin remove existing malicious payloads from my pages?

No. A security update will prevent future injection but will not automatically clean existing compromised content. You must manually audit and remove any injected payloads from your pages after patching. Treat the patch as a prevention measure and conduct a separate remediation sweep for current content.

This analysis is provided for informational purposes and reflects publicly disclosed information about CVE-2026-8677 as of the publication date. No exploit code or weaponization instructions are included. Organizations should verify patch availability and compatibility with their specific WordPress and Elementor configurations before deployment. Consult with your vendor and security team to assess risk in your environment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence beyond the source data provided. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).