WordPress Plugin Vulnerabilities

ElementsKit Elementor Addons and Templates < 3.8.0 - Contributor+ Stored XSS via Simple Tab Widget

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
elementskit-lite
Fixed in 3.8.0

References

CVE
CVE-2026-2600
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c33c640-0876-4b07-829e-35cae445b420

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
knani alaaeddine (iwd)
Verified
No
WPVDB ID
a98f334f-c287-4cfd-bac3-7673602bc714

Timeline

Publicly Published
2026-04-03 (about 1 month ago)
Added
2026-04-06 (about 1 month ago)
Last Updated
2026-04-06 (about 1 month ago)

Other

Published
Title
Published
2023-03-13
Title
Site Reviews < 6.6.0 - Contributor+ Stored XSS
Published
2024-06-18
Title
Page Builder: Live Composer <= 2.1.6 - Author+ Stored XSS
Published
2023-11-15
Title
BMI Calculator Plugin <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-10-15
Title
Zoho CRM Lead Magnet Plugin - Authenticated Cross Site Scripting (XSS)
Published
2022-08-01
Title
Button Plugin MaxButtons < 9.3 - Admin+ Stored Cross-Site Scripting