Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects required Author-level authentication; UI:R because a victim must visit the injected page for the stored payload to fire; S:C and C:L/I:L capture cross-context browser script execution.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session at Author level or above - unauthenticated or Subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 base score reflects a meaningful but bounded risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding or acquiring an Author-level WordPress account navigates to The Events Calendar and creates or edits an event, embedding a JavaScript payload such as a cookie-exfiltration script within the event title field. Essential Addons for Elementor's Event Calendar widget renders this unsanitized title on any page where the widget is placed, causing the script to execute silently in every visitor's browser and forwarding session tokens to an attacker-controlled endpoint. |
| Remediation | A patch has been committed to the official WordPress plugin repository as confirmed by Trac changeset 3519453 (https://plugins.trac.wordpress.org/changeset/3519453/essential-addons-for-elementor-lite); the exact released version number is not independently confirmed from the available input data, so administrators should update to the latest available version of Essential Addons for Elementor via the WordPress dashboard or WP-CLI and verify that the installed version exceeds 6.6.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authenticated account takeover in the Essential Addons for Elementor WordPress plugin (versions ≤ 6.6.10) lets a Contrib
Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42228
GHSA-9w6j-2h2h-p5h5