WordPress Plugin Vulnerabilities

Essential Addons for Elementor < 6.5.10 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 6.5.10

References

CVE
CVE-2026-1512
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d652f383-ca3d-440e-a30f-64a50efd65e1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
knani alaaeddine (iwd)
Verified
No
WPVDB ID
1e106a58-10db-46ad-9e98-b614a71e3d00

Timeline

Publicly Published
2026-02-13 (about 3 months ago)
Added
2026-02-14 (about 2 months ago)
Last Updated
2026-02-14 (about 2 months ago)

Other

Published
Title
Published
2014-08-01
Title
Schreikasten 0.14.13 - wp-admin/admin-ajax.php Multiple Parameter XSS
Published
2025-05-29
Title
NinjaTeam Chat for Telegram < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via username Parameter
Published
2025-08-15
Title
Dropshix <= 4.0.14 - Admin+ Stored XSS
Published
2025-08-20
Title
Themify Audio Dock < 2.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-04-16
Title
LearnPress Export Import < 4.0.4 - Reflected Cross-Site Scripting