Skip to main content

Premium Addons for Elementor CVE-2026-12141

| EUVDEUVD-2026-43142 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-r293-726m-x33j
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Contributor access required (PR:L) and admin must actively open the post in Elementor editor (UI:R); official UI:N appears inconsistent with the editor-only trigger, so AC:L/UI:R better reflects the actual exploitation conditions.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:20 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Premium Addons for Elementor - Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend.

AnalysisAI

Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the premium_tooltip_text parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the print_template() method registered on the elementor/section/print_template hook, meaning the attack surface is confined to the Elementor editor backend. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress credentials
Delivery
Create or edit post with malicious premium_tooltip_text payload
Exploit
Wait for administrator to open injected post in Elementor editor
Execution
print_template() renders unescaped payload in admin browser
Impact
Exfiltrate admin session token or execute unauthorized admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires all four of the following: (1) an attacker-controlled account with contributor-level WordPress access or higher on the target site; (2) the Premium Addons for Elementor plugin installed and active at version 4.11.84 or earlier; (3) the attacker's post or page uses the Tooltip widget so that the `premium_tooltip_text` parameter is processed; and (4) an administrator or higher-privileged user must subsequently open that specific post inside the Elementor editor - the XSS payload does NOT execute on public-facing page views, only in the editor's template preview context. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 4.9 (Medium) reflects AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N - network-exploitable, contributor-authenticated, scope-changed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious contributor with legitimate WordPress access creates a post and inserts a JavaScript payload (such as a cookie-exfiltration script or an unauthorized admin-action trigger) into the `premium_tooltip_text` field of the Tooltip widget. The payload sits inert in the database - invisible to public visitors - until a site administrator reviews the post in the Elementor editor, at which point `print_template()` renders the unescaped value and the script executes within the admin's authenticated browser session. …
Remediation A patch commit has been published to the WordPress.org plugin repository per the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3597629%40premium-addons-for-elementor&new=3597629%40premium-addons-for-elementor; however, the exact patched release version number is not explicitly confirmed in the available data - verify the current version in the WordPress plugin repository and update beyond 4.11.84 via the standard WordPress plugin update mechanism. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy