WordPress Plugin Vulnerabilities

Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import

Description

The plugin does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.

Proof of Concept

Affects Plugins

References

Classification

Type
XSS
CWE

Miscellaneous

Original Researcher
Vaibhav Narkhede
Submitter
Vaibhav Narkhede
Verified
Yes

Timeline

Publicly Published
2026-06-25 (about 21 days ago)
Added
2026-06-25 (about 20 days ago)
Last Updated
2026-06-25 (about 20 days ago)

Other