Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PR:L required because exploitation demands a Contributor account with edit_posts; S:C and UI:R reflect victim-browser stored XSS with no availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.
AnalysisAI
Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid WordPress account assigned the Contributor role or higher (specifically, the edit_posts capability). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C - score 6.1) contains a notable inconsistency: PR:N (no privileges required) contradicts the CVE description, which explicitly states that a Contributor account with edit_posts capability is required to trigger the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a WordPress Contributor account on the target site, navigates to the Header Footer Builder plugin dashboard, and uses the template-import function to load a crafted template containing an Elementor HTML widget embedding a JavaScript keylogger or cookie-theft payload configured for site-wide header display. Every subsequent visitor - including logged-in administrators - automatically executes the script on page load, transmitting session cookies or credentials to an attacker-controlled endpoint. … |
| Remediation | Upgrade the Header Footer Builder for Elementor plugin to version 1.2.1 or later, which is confirmed as the vendor-released patch addressing the missing capability check. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44878
GHSA-mm7h-qq6c-6h9w