Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Contributor authentication gates exploitation (PR:L); stored payload auto-executes on page load requiring no victim action (UI:N) and crosses into victim browser scope (S:C); no availability impact warranted.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum Contributor-level role on the target site, confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures a moderately serious threat that is constrained by the Contributor-level authentication requirement (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a Contributor account on the target WordPress site navigates to the post-duplicator feature provided by the Exclusive Addons for Elementor plugin and creates a post with a JavaScript payload embedded in the post title field. The malicious payload is stored in the WordPress database and executes automatically in the browser of any user - including a site administrator - who subsequently loads the page, allowing the attacker to steal the administrator's session cookie and gain full site control. |
| Remediation | Update Exclusive Addons for Elementor to a version beyond 2.7.9.8 once a patched release is confirmed available in the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Countdow
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 St
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Act
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown T
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Ca
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Ca
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribu
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41975
GHSA-8jc9-q52q-8p76