Skip to main content

News Kit Elementor Addons EUVDEUVD-2026-43611

| CVE-2026-11390 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 Wordfence GHSA-q988-g5jr-8jjr
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L reflects mandatory contributor authentication; UI:R corrects the provided vector - stored XSS requires a victim to visit the injected page; S:C captures cross-browser session impact unchanged.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 02:31 vuln.today
CVE Published
Jul 14, 2026 - 01:30 nvd
MEDIUM 6.4

DescriptionCVE.org

The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an attacker to intercept and modify the elementor_ajax AJAX save request in order to bypass the client-side SELECT control restrictions and submit arbitrary tag-name values.

AnalysisAI

Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain or compromise contributor-level WordPress account
Delivery
Load Elementor editor with Site Logo Title or Single Author Box widget
Exploit
Intercept elementor_ajax AJAX save request via proxy
Install
Replace tag-name parameter with script injection payload
C2
Payload persists in WordPress page database
Execute
Victim user visits injected page
Impact
Malicious script executes in victim browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with contributor-level permissions or higher on the target site - fully unauthenticated attackers cannot trigger the vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.4 (Medium) vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N reflects network-based exploitability requiring only contributor-level authentication and no elevated complexity, with scope change to victim browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor account on a WordPress site running News Kit Addons For Elementor 1.4.6 opens the Elementor editor, places a Site Logo Title widget on a draft page, and saves the page while routing traffic through Burp Suite. In the intercepted elementor_ajax POST request, the attacker replaces the widget's heading-tag parameter value with a crafted script payload. …
Remediation Upgrade the News Kit Addons For Elementor plugin to version 1.4.7 or later; this is the vendor-released patch confirmed by the WordPress plugin repository changeset between revisions 3580563 and 3586039 (https://plugins.trac.wordpress.org/changeset?reponame=&new=3586039%40news-kit-elementor-addons%2Ftrunk&old=3580563%40news-kit-elementor-addons%2Ftrunk) and by the presence of updated source files under the 1.4.7 tag in trac. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy