Skip to main content

News Kit Addons For Elementor

1 CVEs product

Monthly

CVE-2026-11390 MEDIUM This Month

Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.

XSS WordPress News Kit Addons For Elementor
NVD
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.

XSS WordPress News Kit Addons For Elementor
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy