Skip to main content

Exclusive Addons Elementor CVE-2026-57620

| EUVDEUVD-2026-39649 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 Patchstack GHSA-p8c2-86p5-3rcc
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS via authenticated contributor yields scope change and C/I impact in victim browser; no availability impact is attributable to this XSS class.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 12:20 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS.

This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8.

AnalysisAI

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress contributor account
Delivery
Inject XSS payload into Elementor widget field
Exploit
Payload persists in database
Execution
Admin browses affected page
Persist
Script executes in admin browser
Impact
Exfiltrate session cookie or escalate to admin

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a WordPress account with at minimum Contributor-level role permissions, which allows saving Elementor draft content without publishing - this is the PR:L condition reflected in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L reflects a realistic stored XSS profile: network-reachable, low complexity, but requiring low-level authentication (PR:L) and victim interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a contributor-level WordPress account on a site running Exclusive Addons Elementor 2.7.9.8 or earlier, then edits or creates an Elementor page embedding a malicious JavaScript payload within a vulnerable widget field. When a site administrator browses to that page to review or approve content, the stored script executes silently in their browser session, potentially exfiltrating their authentication cookies to an attacker-controlled server and enabling full administrative account takeover. …
Remediation The primary remediation is to update the Exclusive Addons for Elementor plugin to a version above 2.7.9.8 via the WordPress admin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy