Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Contributor access required (PR:L) and admin must actively open the post in Elementor editor (UI:R); official UI:N appears inconsistent with the editor-only trigger, so AC:L/UI:R better reflects the actual exploitation conditions.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Premium Addons for Elementor - Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend.
AnalysisAI
Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the premium_tooltip_text parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the print_template() method registered on the elementor/section/print_template hook, meaning the attack surface is confined to the Elementor editor backend. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all four of the following: (1) an attacker-controlled account with contributor-level WordPress access or higher on the target site; (2) the Premium Addons for Elementor plugin installed and active at version 4.11.84 or earlier; (3) the attacker's post or page uses the Tooltip widget so that the `premium_tooltip_text` parameter is processed; and (4) an administrator or higher-privileged user must subsequently open that specific post inside the Elementor editor - the XSS payload does NOT execute on public-facing page views, only in the editor's template preview context. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 4.9 (Medium) reflects AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N - network-exploitable, contributor-authenticated, scope-changed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious contributor with legitimate WordPress access creates a post and inserts a JavaScript payload (such as a cookie-exfiltration script or an unauthorized admin-action trigger) into the `premium_tooltip_text` field of the Tooltip widget. The payload sits inert in the database - invisible to public visitors - until a site administrator reviews the post in the Elementor editor, at which point `print_template()` renders the unescaped value and the script executes within the admin's authenticated browser session. … |
| Remediation | A patch commit has been published to the WordPress.org plugin repository per the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3597629%40premium-addons-for-elementor&new=3597629%40premium-addons-for-elementor; however, the exact patched release version number is not explicitly confirmed in the available data - verify the current version in the WordPress plugin repository and update beyond 4.11.84 via the standard WordPress plugin update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43142
GHSA-r293-726m-x33j