CVE-2026-1512 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Essential Addons for Elementor – Popular Elementor Templates & Widgets WordPress plugin developed by wpdevteam. The vulnerability exists in all versions up to and including 6.5.9, specifically within the Info Box widget. The root cause is insufficient sanitization and escaping of user-supplied input attributes, which allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on behalf of victims. The vulnerability requires no user interaction to trigger once the malicious content is stored and viewed. The CVSS v3.1 base score is 6.4, reflecting network exploitable conditions with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the widespread use of this plugin in WordPress sites makes it a significant risk. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in content management system plugins that accept user-generated content.

The impact of CVE-2026-1512 is primarily on the confidentiality and integrity of affected websites and their users. Attackers with contributor access can inject malicious scripts that execute in the context of other users’ browsers, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, or website defacement. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues if personal data is compromised. Since the vulnerability requires contributor-level access, organizations with multiple content creators or editors are at higher risk. The scope of affected systems is broad due to the popularity of the Elementor plugin ecosystem, potentially impacting thousands of WordPress sites globally. While availability is not directly affected, secondary impacts such as site blacklisting by search engines or browsers could occur. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target popular CMS plugins. Organizations that do not promptly address this vulnerability may face targeted attacks leveraging stored XSS to escalate privileges or pivot within their networks.

To mitigate CVE-2026-1512, organizations should immediately update the Essential Addons for Elementor plugin to a patched version once released by the vendor. Until a patch is available, restrict contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious script injections targeting WordPress plugins. Regularly audit and sanitize existing content, especially Info Box widgets, to remove any injected scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor website logs and user activity for unusual behavior indicative of exploitation attempts. Educate content contributors about secure input practices and the risks of injecting untrusted content. Finally, maintain regular backups of website data to enable recovery in case of compromise.