themesflat-addons-for-elementor < 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2026-39500 | Plugin Vulnerabilities

Description

The themesflat-addons-for-elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

themesflat-addons-for-elementor

Fixed in 2.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a1da201f-47e3-4f39-9c8b-cd842e8f7ca5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

timomangcut

Verified

No

WPVDB ID

d83e5b33-2ce4-4401-855f-2759a2dbbf7b

Timeline

Publicly Published

2026-03-23 (about 2 months ago)

Added

2026-04-15 (about 1 month ago)

Last Updated

2026-04-15 (about 1 month ago)

Other

Published

Title

Published

2025-07-21

Title

Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery < 1.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-08-28

Title

Nested Pages <= 3.2.8 - Editor+ Stored XSS

Published

2023-02-13

Title

Advanced Recent Posts <= 0.6.14 - Contributor+ Stored XSS

Published

2026-04-21

Title

Chatbot for WordPress by Collect.chat ⚡️ < 2.5.0 - Unauthenticated Stored Cross-Site Scripting

Published

2024-10-24

Title

File Upload Types by WPForms < 1.5.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload