What is the CVSS score of EUVD-2026-26479?

EUVD-2026-26479 has a CVSS 3.1 base score of 6.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Elementor Website Builder EUVD-2026-26479

| CVE-2026-6127 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-05-01 Wordfence

WordPress XSS Elementor

6.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.4 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 06:30 vuln.today

EUVD ID Assigned

May 01, 2026 - 06:00 euvd

EUVD-2026-26479

Analysis Generated

May 01, 2026 - 06:00 vuln.today

CVE Published

May 01, 2026 - 05:29 nvd

MEDIUM 6.4

DescriptionCVE.org

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain contributor credentials

Delivery

Craft form-encoded PATCH request

Exploit

Send to REST API post meta endpoint

Install

Bypass json_decode() sanitization

Store malicious _elementor_data

Execute

Page visitor accesses post

Impact

Unescaped output renders JavaScript

Step 8

User script executes

Recon

Obtain contributor credentials

Delivery

Craft form-encoded PATCH request

Exploit

Send to REST API post meta endpoint

Install

Bypass json_decode() sanitization

Store malicious _elementor_data

Execute

Page visitor accesses post

Impact

Unescaped output renders JavaScript

Step 8

User script executes

Vulnerability AssessmentAI

Exploitation	Attacker must possess WordPress user account with contributor role or above (contributor, author, editor, administrator). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 6.4 score (AV:N/AC:L/PR:L/UI:N/S:C) indicates network-accessible, low-complexity attack requiring low privilege (contributor role) with scope change and partial confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with contributor-level WordPress credentials (obtained via password reuse, phishing, or account compromise) crafts a form-encoded HTTP PATCH request to the WordPress REST API targeting the _elementor_data meta field of a published post. The attacker includes a payload such as form data with _elementor_data containing JavaScript tags (e.g., embedded <script> or event handlers). …
Remediation	Update Elementor Website Builder to version 4.0.5 or later, which includes a fix implementing proper sanitize_callback on the _elementor_data meta field registration to validate form-encoded requests. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC