Skip to main content

Exclusive Addons Elementor

2 CVEs product

Monthly

CVE-2026-59511 MEDIUM This Month

Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.

Information Disclosure Exclusive Addons Elementor
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57620 MEDIUM This Month

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.

XSS Exclusive Addons Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.

Information Disclosure Exclusive Addons Elementor
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in the Exclusive Addons Elementor WordPress plugin (versions through 2.7.9.8) allows authenticated low-privileged users to inject persistent malicious scripts into Elementor widgets that execute in the browsers of site visitors and administrators. The scope change (S:C in the CVSS vector) indicates the injected payload escapes the attacker's context and affects other users, enabling session hijacking, credential theft, or privilege escalation to admin. No public exploit code or CISA KEV listing is identified at time of analysis, but Patchstack has disclosed the vulnerability publicly.

XSS Exclusive Addons Elementor
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy