Skip to main content

Wpbits Addons For Elementor Page Builder EUVD-2026-20406

| CVE-2026-39703 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-xrpw-3fmw-45qf
XSS Wpbits Addons For Elementor Page Builder Elementor
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
6.5 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20406
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.

AnalysisAI

Stored cross-site scripting (XSS) in WPBITS Addons For Elementor Page Builder versions up to 1.8.1 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability stems from improper input sanitization during web page generation, enabling an attacker to persistently compromise site content and steal session tokens or perform administrative actions on behalf of legitimate users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as low-privilege WordPress user
Delivery
Create or edit page with WPBITS Addons plugin
Exploit
Inject unescaped JavaScript in widget/field
Install
Save malicious content to database
C2
Administrator views/edits page
Execute
Browser executes stored XSS payload
Impact
Attacker gains session token or performs admin actions
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authenticated access to WordPress with page/post creation or editing privileges (Contributor role or higher) is required to inject the malicious payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While the CVSS score of 6.5 is moderate, multiple risk signals indicate this is a lower-priority issue in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated WordPress user with contributor or editor privileges (low-privilege account) crafts a malicious page or widget using the WPBITS Addons For Elementor plugin that contains unescaped JavaScript code. When another user-such as an administrator-visits or edits the compromised page, the stored XSS payload executes in their browser session, allowing the attacker to steal admin cookies, redirect administrators to phishing pages, or inject administrative user accounts. …
Remediation Update WPBITS Addons For Elementor Page Builder to a version newer than 1.8.1 once the patched release becomes available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20406 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy