CVE-2026-1512 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress. This plugin is widely used to enhance Elementor page builder functionality with additional templates and widgets. The vulnerability arises from insufficient input sanitization and output escaping in the Info Box widget, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim's browser. The attack vector requires authentication but no user interaction beyond visiting the compromised page. The CVSS 3.1 score of 6.4 reflects a medium severity, considering the network attack vector, low attack complexity, and privileges required. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. No patches or official fixes have been released yet, and no known exploits have been observed in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or editing capabilities at contributor-level access or above.

For European organizations, this vulnerability poses a significant risk to websites using the Essential Addons for Elementor plugin, particularly those that allow multiple contributors to publish or edit content. Exploitation could lead to session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware through injected scripts. This can damage organizational reputation, lead to data breaches, or cause service disruptions. Since WordPress powers a substantial portion of websites in Europe, including many small and medium enterprises, educational institutions, and public sector sites, the impact could be widespread. The vulnerability’s requirement for contributor-level access limits exposure to insider threats or compromised accounts but does not eliminate risk, especially in environments with many content editors. The lack of a patch increases the urgency for interim mitigations. Additionally, the cross-site scripting vulnerability can be leveraged as a foothold for further attacks, including privilege escalation or lateral movement within web applications.

1. Immediately audit user roles and permissions to ensure that only trusted users have contributor-level or higher access. 2. Implement strict content moderation workflows to review and approve content before publication. 3. Use Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the Info Box widget. 4. Monitor website logs and content for unusual scripts or injected code, especially in pages created or edited by contributors. 5. Disable or restrict the use of the vulnerable Info Box widget if feasible until a patch is available. 6. Keep WordPress core and all plugins updated; apply the official patch from wpdevteam as soon as it is released. 7. Educate content editors about the risks of injecting untrusted code or HTML. 8. Consider implementing Content Security Policy (CSP) headers to limit the impact of injected scripts. 9. Regularly back up website data to enable quick recovery in case of compromise. 10. Engage in proactive vulnerability scanning and penetration testing focused on WordPress environments.