CVE-2026-22518 is a DOM-based Cross-site Scripting (XSS) vulnerability classified under CWE-79, found in the pencilwp X Addons for Elementor plugin, which is a popular extension for the Elementor page builder on WordPress. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed in the victim's browser context. This type of XSS is DOM-based, meaning the attack payload is executed as a result of client-side script processing rather than server-side output encoding failures. The affected versions include all versions up to 1.0.23, with no specific earliest version identified. The CVSS v3.1 base score is 6.5, reflecting a medium severity with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, requiring privileges and user interaction, with a scope change and partial impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to websites using this plugin, potentially allowing attackers to execute arbitrary JavaScript, steal session tokens, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability is particularly relevant for websites that allow user input or parameters to be reflected in the DOM without proper sanitization or encoding. Since no patches have been released yet, organizations must be vigilant and consider temporary mitigations. The vulnerability was published on January 8, 2026, by Patchstack, with no direct patch links available at this time.

For European organizations, this vulnerability can lead to significant risks including theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential defacement or redirection of websites. Organizations relying on pencilwp X Addons for Elementor in their WordPress environments, especially those with public-facing websites or portals handling sensitive user data, are at risk of data breaches and reputational damage. The scope change in the CVSS vector indicates that exploitation could affect components beyond the initially vulnerable plugin, potentially impacting the entire web application. Given the widespread use of WordPress and Elementor in Europe, this vulnerability could be leveraged to target e-commerce sites, government portals, and corporate websites, leading to loss of customer trust and regulatory penalties under GDPR if personal data is compromised. The requirement for privileges and user interaction somewhat limits exploitation but does not eliminate risk, especially in environments where multiple users have editing or publishing rights. The absence of known exploits currently provides a window for proactive defense but also means attackers may develop exploits soon after public disclosure.

European organizations should immediately audit their WordPress installations to identify the presence of pencilwp X Addons for Elementor plugin and determine the version in use. Until an official patch is released, consider disabling or removing the plugin if feasible, especially on high-risk or public-facing sites. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Review and harden user privilege assignments to minimize the number of users with permissions that could facilitate exploitation. Employ Web Application Firewalls (WAFs) with rules targeting DOM-based XSS patterns to detect and block malicious payloads. Monitor web traffic and logs for unusual activity indicative of attempted XSS exploitation. Educate content editors and administrators about the risks of interacting with untrusted inputs or links. Once a patch is available, prioritize timely application and verify the fix through testing. Additionally, consider employing security plugins that sanitize user inputs and outputs to provide an additional layer of defense.