CVE-2026-1397 is a stored cross-site scripting vulnerability identified in the PQ Addons – Creative Elementor Widgets plugin for WordPress, specifically affecting the PQ Section Title widget's html_tag parameter. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied input before rendering it in the page HTML. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into widget attributes. When other users access the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or further attacks leveraging the victim’s privileges. The vulnerability affects all versions up to and including 1.0.0 of the plugin. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and partial impact on confidentiality and integrity. No patches or known exploits are currently available, but the vulnerability poses a significant risk due to the widespread use of Elementor and its addons in WordPress sites. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. The vulnerability was published on March 21, 2026, and assigned by Wordfence.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover, privilege escalation, or persistent site defacement. Although availability is not directly impacted, successful exploitation can degrade user trust and site reputation. Organizations relying on this plugin, especially those with multiple contributors or editors, face increased risk of insider threats or compromised accounts being leveraged to inject malicious content. The vulnerability’s network-based attack vector and low complexity make it feasible for attackers with limited skills but authenticated access to exploit. Given the popularity of WordPress and Elementor-based sites globally, the potential impact is broad, affecting websites ranging from small businesses to large enterprises that use this plugin for creative widget functionality.

To mitigate this vulnerability, organizations should immediately update the PQ Addons – Creative Elementor Widgets plugin to a patched version once available. Until a patch is released, administrators should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the vulnerable widget (PQ Section Title) from active pages. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in widget parameters can provide interim protection. Additionally, site owners should enforce strict input validation and output encoding practices for all user-supplied content, especially in custom widgets or plugins. Regularly auditing user roles and permissions to minimize the number of users with contributor or higher access reduces the attack surface. Monitoring site logs for unusual activity and scanning for injected scripts can help detect exploitation attempts early. Finally, educating content contributors about the risks of injecting untrusted code and maintaining up-to-date backups will aid in recovery if exploitation occurs.