Skip to main content

Header Footer Builder CVE-2026-12869

| EUVDEUVD-2026-44878 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 WPScan GHSA-mm7h-qq6c-6h9w
6.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L required because exploitation demands a Contributor account with edit_posts; S:C and UI:R reflect victim-browser stored XSS with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 16, 2026 - 13:26 vuln.today
CVSS changed
Jul 16, 2026 - 13:22 NVD
6.1 (MEDIUM)
Patch available
Jul 16, 2026 - 10:18 EUVD
CVE Published
Jul 16, 2026 - 06:00 cve.org
MEDIUM 6.1
CVE Published
Jul 16, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.

AnalysisAI

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or register Contributor-level WordPress account
Delivery
Access plugin dashboard template-import action
Exploit
Submit crafted template with malicious Elementor HTML widget
Install
Payload stored site-wide in header/footer region
C2
Any visitor or admin loads a page
Execute
Injected JavaScript executes in victim browser
Impact
Harvest session tokens or admin credentials

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid WordPress account assigned the Contributor role or higher (specifically, the edit_posts capability). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C - score 6.1) contains a notable inconsistency: PR:N (no privileges required) contradicts the CVE description, which explicitly states that a Contributor account with edit_posts capability is required to trigger the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a WordPress Contributor account on the target site, navigates to the Header Footer Builder plugin dashboard, and uses the template-import function to load a crafted template containing an Elementor HTML widget embedding a JavaScript keylogger or cookie-theft payload configured for site-wide header display. Every subsequent visitor - including logged-in administrators - automatically executes the script on page load, transmitting session cookies or credentials to an attacker-controlled endpoint. …
Remediation Upgrade the Header Footer Builder for Elementor plugin to version 1.2.1 or later, which is confirmed as the vendor-released patch addressing the missing capability check. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy