Header Footer Builder For Elementor
Monthly
Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.
Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.