Skip to main content

Essential Addons Elementor CVE-2026-6459

| EUVDEUVD-2026-42228 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-9w6j-2h2h-p5h5
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects required Author-level authentication; UI:R because a victim must visit the injected page for the stored payload to fire; S:C and C:L/I:L capture cross-context browser script execution.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 13:21 vuln.today
CVE Published
Jul 08, 2026 - 12:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise Author-level WordPress account
Delivery
Create or edit event with JavaScript payload in title field
Exploit
Payload stored in database without sanitization
Install
Victim loads page containing Event Calendar widget
C2
Browser renders unsanitized event title
Execute
Injected script executes in victim's browser context
Impact
Session tokens or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session at Author level or above - unauthenticated or Subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.4 base score reflects a meaningful but bounded risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding or acquiring an Author-level WordPress account navigates to The Events Calendar and creates or edits an event, embedding a JavaScript payload such as a cookie-exfiltration script within the event title field. Essential Addons for Elementor's Event Calendar widget renders this unsanitized title on any page where the widget is placed, causing the script to execute silently in every visitor's browser and forwarding session tokens to an attacker-controlled endpoint.
Remediation A patch has been committed to the official WordPress plugin repository as confirmed by Trac changeset 3519453 (https://plugins.trac.wordpress.org/changeset/3519453/essential-addons-for-elementor-lite); the exact released version number is not independently confirmed from the available input data, so administrators should update to the latest available version of Essential Addons for Elementor via the WordPress dashboard or WP-CLI and verify that the installed version exceeds 6.6.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6459 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy