Skip to main content

Header Footer Builder For Elementor

1 CVEs product

Monthly

CVE-2026-12869 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy