WordPress Plugin Vulnerabilities

Premium Addons for Elementor < 4.11.71 - Contributor+ Stored XSS via 'custom_svg' Parameter

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the 'custom_svg' parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
premium-addons-for-elementor
Fixed in 4.11.71

References

CVE
CVE-2026-4790
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae6d07eb-3e64-45ee-ad5d-92b41ef11e43

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Fernando Mecozzi
Verified
No
WPVDB ID
bf1c8790-8cb5-4701-a25e-cc6add4e99de

Timeline

Publicly Published
2026-05-01 (about 12 days ago)
Added
2026-05-04 (about 9 days ago)
Last Updated
2026-05-04 (about 9 days ago)

Other

Published
Title
Published
2023-07-03
Title
Auto Location for WP Job Manager via Google < 1.1 - Admin+ Cross Site Scripting
Published
2017-02-07
Title
XO Security < 1.5.3 - XSS
Published
2021-10-04
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 2.4.2 - Multiple Admin+ Cross Site Scripting
Published
2023-11-07
Title
Seo By 10Web <= 1.2.9 - Reflected XSS
Published
2023-10-23
Title
LiteSpeed Cache < 5.7 - Contributor+ Stored XSS