Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects mandatory contributor authentication; UI:R corrects the provided vector - stored XSS requires a victim to visit the injected page; S:C captures cross-browser session impact unchanged.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an attacker to intercept and modify the elementor_ajax AJAX save request in order to bypass the client-side SELECT control restrictions and submit arbitrary tag-name values.
AnalysisAI
Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account with contributor-level permissions or higher on the target site - fully unauthenticated attackers cannot trigger the vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 6.4 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects network-based exploitability requiring only contributor-level authentication and no elevated complexity, with scope change to victim browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor account on a WordPress site running News Kit Addons For Elementor 1.4.6 opens the Elementor editor, places a Site Logo Title widget on a draft page, and saves the page while routing traffic through Burp Suite. In the intercepted elementor_ajax POST request, the attacker replaces the widget's heading-tag parameter value with a crafted script payload. … |
| Remediation | Upgrade the News Kit Addons For Elementor plugin to version 1.4.7 or later; this is the vendor-released patch confirmed by the WordPress plugin repository changeset between revisions 3580563 and 3586039 (https://plugins.trac.wordpress.org/changeset?reponame=&new=3586039%40news-kit-elementor-addons%2Ftrunk&old=3580563%40news-kit-elementor-addons%2Ftrunk) and by the presence of updated source files under the 1.4.7 tag in trac. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43611
GHSA-q988-g5jr-8jjr