WP-Safety
CVE-2026-6916

Jeg Kit for Elementor <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.1.1
Patched in
1d
Time to patch

Description

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.1.0
PublishedMay 1, 2026
Last updatedMay 2, 2026
Affected pluginjeg-elementor-kit

What Changed in the Fix

Changes introduced in v3.1.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.1.0
Browse source Download .zip
Patched v3.1.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-6916 ## 1. Vulnerability Summary The **Jeg Kit for Elementor** plugin (up to version 3.1.0) is vulnerable to **Authenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists in the handling of the `sg_content_number_prefix` attribute within a sho…

Show full research plan

Exploitation Research Plan - CVE-2026-6916

1. Vulnerability Summary

The Jeg Kit for Elementor plugin (up to version 3.1.0) is vulnerable to Authenticated Stored Cross-Site Scripting (XSS). The vulnerability exists in the handling of the sg_content_number_prefix attribute within a shortcode (likely [jkit_fun_fact] or [jkit_counter]). The plugin fails to sanitize or escape this attribute before rendering it on the frontend. A user with Contributor permissions can create a post containing a malicious shortcode, which will execute arbitrary JavaScript in the context of any user (including Administrators) who views the page.

2. Attack Vector Analysis

  • Endpoint: WordPress Post Editor / REST API (wp-json/wp/v2/posts)
  • Action: Creating or updating a post/page.
  • Vulnerable Attribute: sg_content_number_prefix
  • Authentication Level: Contributor or higher (any role allowed to use shortcodes).
  • Preconditions: The plugin jeg-elementor-kit must be active. Elementor is usually a dependency for this plugin.

3. Code Flow

  1. Registration: The plugin registers a shortcode (e.g., jkit_fun_fact) via add_shortcode().
  2. Input: A Contributor creates a post where the content includes [jkit_fun_fact sg_content_number_prefix='<script>alert(1)</script>'].
  3. Processing: When the post is rendered, the shortcode callback (likely in includes/widgets/Fun_Fact.php or a similar class handling the "Fun Fact" or "Counter" widget) parses the attributes using shortcode_atts().
  4. Sink: The value of sg_content_number_prefix is concatenated into the HTML output string and returned to WordPress for display.
  5. Execution: Because the output is not passed through esc_html() or esc_attr(), the injected <script> tag is rendered directly into the browser's DOM.

4. Nonce Acquisition Strategy

To inject the shortcode via the WordPress REST API as a Contributor, a REST API nonce is required.

  1. Login: Authenticate as a Contributor user.
  2. Navigate: Use browser_navigate to go to the WordPress Dashboard (/wp-admin/).
  3. Extraction: Use browser_eval to extract the WordPress REST nonce from the global wpApiSettings object:
    window.wpApiSettings.nonce
  4. Alternative (UI): If using the classic editor, the nonce can be found in the #_wpnonce hidden input field on the post-new.php page.

5. Exploitation Strategy

The goal is to store a payload that triggers an alert on the frontend.

Step 1: Authentication

Authenticate the session as a Contributor.

Step 2: Payload Injection

Submit a POST request to create a new post containing the malicious shortcode.

Request:

  • URL: http://localhost:8080/wp-json/wp/v2/posts
  • Method: POST
  • Headers:
    • X-WP-Nonce: [EXTRACTED_NONCE]
    • Content-Type: application/json
  • Body:
{
    "title": "XSS Test Page",
    "content": "[jkit_fun_fact sg_content_number_prefix='<img src=x onerror=alert(\"CVE-2026-6916\")>' sg_content_number_title='Test' sg_content_number_value='100']",
    "status": "publish"
}

Note: If jkit_fun_fact is not the correct shortcode, try jkit_counter or jkit_steps based on the attribute name.

Step 3: Triggering the XSS

Access the newly created post's permalink using an unauthenticated http_request.

6. Test Data Setup

  • Users: Create a user attacker with the contributor role.
  • Plugin Configuration: Ensure jeg-elementor-kit is active.
  • Page Creation: A page must be created by the Contributor to hold the shortcode.

7. Expected Results

  • The HTTP request to create the post should return 201 Created.
  • The response body of the created post's URL should contain the raw string: <span><img src=x onerror=alert("CVE-2026-6916")></span> (or similar, depending on the exact HTML wrapper).
  • When viewed in a browser, an alert box with "CVE-2026-6916" should appear.

8. Verification Steps

  1. Check Post Content:
    wp post list --post_type=post --format=csv
# Find the ID of 'XSS Test Page'
wp post get [ID] --field=content
  2. Verify Rendering:
    Use http_request to fetch the post content and grep for the payload:
    # Look for the unescaped img tag
grep -oP '<img src=x onerror=alert\("CVE-2026-6916"\)>'

9. Alternative Approaches

  • Attribute Breakout: If the prefix is rendered inside an attribute (e.g., <div data-prefix="PAYLOAD">), use:
    sg_content_number_prefix='"><script>alert(1)</script>'
  • Elementor Data Meta: If the shortcode doesn't render via standard post content, inject the payload into the _elementor_data post meta (JSON format) using the REST API or wp post meta update.
  • Shortcode Variants: If jkit_fun_fact fails, scan the plugin directory for other shortcodes using sg_content_number_prefix:
    grep -r "sg_content_number_prefix" /var/www/html/wp-content/plugins/jeg-elementor-kit/
    The resulting file will reveal the correct shortcode tag registered via add_shortcode.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Jeg Kit for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'sg_content_number_prefix' shortcode attribute in versions up to and including 3.1.0. This vulnerability allows authenticated contributors to inject malicious scripts into pages, which execute in the browser of any user viewing the page due to insufficient output escaping.

Vulnerable Code

// In includes/widgets/Fun_Fact.php or similar widget files
// The plugin retrieves widget settings and renders the 'sg_content_number_prefix' attribute without sanitization.

$settings = $this->get_settings_for_display();
$prefix = $settings['sg_content_number_prefix'];

// ... 

echo '<span class="jkit-fun-fact-prefix">' . $prefix . '</span>';

Security Fix

--- includes/widgets/Fun_Fact.php
+++ includes/widgets/Fun_Fact.php
@@ -XX,XX +XX,XX @@
- echo '<span class="jkit-fun-fact-prefix">' . $prefix . '</span>';
+ echo '<span class="jkit-fun-fact-prefix">' . wp_kses_post( $prefix ) . '</span>';

Exploit Outline

To exploit this vulnerability, an attacker with Contributor-level access or higher must create or edit a post and include a Jeg Kit widget (such as 'Fun Fact' or 'Counter') that utilizes the 'sg_content_number_prefix' attribute. The attacker sets this attribute's value to a malicious JavaScript payload, for example: [jkit_fun_fact sg_content_number_prefix='<img src=x onerror=alert(1)>']. Once the post is saved and published, the script will execute in the context of any user's session who visits the page, including administrators, potentially allowing for session hijacking or unauthorized administrative actions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/5000c86b-b535-48de-b3e0-0dd0d2fd9b1e?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database