Skip to main content

Exclusive Addons Elementor CVE-2026-11328

| EUVDEUVD-2026-41975 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-07 Wordfence GHSA-8jc9-q52q-8p76
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Contributor authentication gates exploitation (PR:L); stored payload auto-executes on page load requiring no victim action (UI:N) and crosses into victim browser scope (S:C); no availability impact warranted.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 07, 2026 - 02:28 vuln.today
CVE Published
Jul 07, 2026 - 01:28 nvd
MEDIUM 6.4

DescriptionCVE.org

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or register Contributor-level WordPress account
Delivery
Craft post title containing malicious JavaScript payload
Exploit
Submit via post-duplicator feature (post-duplicator.php)
Install
Payload persists in WordPress database
C2
Victim administrator loads injected page
Execute
Script executes in admin browser session
Impact
Admin session cookie exfiltrated or privileged action triggered

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum Contributor-level role on the target site, confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 Medium score with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately captures a moderately serious threat that is constrained by the Contributor-level authentication requirement (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a Contributor account on the target WordPress site navigates to the post-duplicator feature provided by the Exclusive Addons for Elementor plugin and creates a post with a JavaScript payload embedded in the post title field. The malicious payload is stored in the WordPress database and executes automatically in the browser of any user - including a site administrator - who subsequently loads the page, allowing the attacker to steal the administrator's session cookie and gain full site control.
Remediation Update Exclusive Addons for Elementor to a version beyond 2.7.9.8 once a patched release is confirmed available in the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-1234 MEDIUM POC
6.4 Mar 13

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute

CVE-2024-3489 MEDIUM
6.4 May 02

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Countdow

CVE-2024-30177 MEDIUM
6.5 Mar 27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E

CVE-2024-30232 MEDIUM
6.5 Mar 26

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E

CVE-2024-32557 MEDIUM
6.5 Apr 16

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Exclusive Addons E

CVE-2024-4618 MEDIUM
6.4 May 15

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member

CVE-2024-2028 MEDIUM
6.4 Mar 13

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 St

CVE-2024-1414 MEDIUM
6.4 Mar 13

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Act

CVE-2024-1413 MEDIUM
6.4 Mar 13

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown T

CVE-2024-5332 MEDIUM
6.4 Jun 26

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Ca

CVE-2024-3985 MEDIUM
6.4 May 02

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Ca

CVE-2024-2750 MEDIUM
6.4 May 02

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribu

Share

CVE-2026-11328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy