Vulnerabilities ›

CVE-2026-8677

Medium

CWE-79 — Weakness Type

                    Published: Jun 9, 2026                      ·  Modified: Jun 10, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.

🤖 AI Executive Summary

Prime Elementor Addons plugin versions up to 1.3.3 contain a Stored XSS vulnerability in widget HTML tag settings that allows authenticated contributors to inject malicious scripts. The vulnerability bypasses Elementor's sanitization filters by using attribute-based payloads without angle brackets, affecting all WordPress sites using this plugin. No patch is currently available, requiring immediate mitigation through access controls and plugin disabling.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 9, 2026 14:03

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using WordPress with Prime Elementor Addons face significant risk, particularly: (1) Government websites and digital transformation initiatives under NCA oversight; (2) Banking and financial services sector (SAMA-regulated) using WordPress for customer portals; (3) E-commerce and retail platforms; (4) Healthcare providers with patient information portals; (5) Educational institutions and universities. The vulnerability is particularly dangerous as it requires only contributor-level access, a common permission level for content managers and marketing teams in Saudi organizations. Compromised pages could lead to credential theft, malware distribution, or defacement affecting organizational reputation.

🏢 Affected Saudi Sectors

Government and Digital Transformation Banking and Financial Services E-commerce and Retail Healthcare and Medical Services Education and Universities Telecommunications Media and Publishing Insurance

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing T1204 - User Execution T1059 - Command and Scripting Interpreter T1547 - Boot or Logon Autostart Execution T1539 - Steal Web Session Cookie T1056 - Input Capture

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations for Prime Elementor Addons plugin presence and version (check wp-content/plugins/prime-elementor-addons/)

2. Restrict contributor and author-level user access to only trusted personnel; review user roles in WordPress admin

3. Disable the plugin immediately via WordPress admin dashboard or rename plugin folder to /prime-elementor-addons-disabled/

4. Review all pages/posts created/modified in past 90 days for suspicious widget configurations

DETECTION & MONITORING:

5. Search WordPress database for suspicious patterns in post_content: 'onerror=', 'onload=', 'onclick=' in widget settings

6. Monitor access logs for POST requests to /wp-admin/admin-ajax.php with elementor parameters

7. Enable WordPress security logging plugin (e.g., Wordfence) to track user activities

COMPENSATING CONTROLS:

8. Implement Web Application Firewall (WAF) rules to block requests containing XSS payloads in widget parameters

9. Apply Content Security Policy (CSP) headers: Content-Security-Policy: script-src 'self'; object-src 'none'

10. Use WordPress security plugins (Sucuri, Wordfence) with real-time malware scanning

11. Implement strict file integrity monitoring for wp-content/plugins/ directory

LONG-TERM:

12. Monitor Prime Elementor Addons GitHub/official channels for security patches

13. Consider alternative lightweight Elementor widget plugins with active security maintenance

14. Implement principle of least privilege for WordPress user roles

15. Conduct security awareness training for content managers on XSS risks

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress للتحقق من وجود مكون Prime Elementor Addons والإصدار (تحقق من wp-content/plugins/prime-elementor-addons/)

2. تقييد وصول المستخدمين على مستوى المساهم والمؤلف للموظفين الموثوقين فقط؛ مراجعة أدوار المستخدمين في لوحة تحكم WordPress

3. تعطيل المكون فوراً عبر لوحة تحكم WordPress أو إعادة تسمية مجلد المكون إلى /prime-elementor-addons-disabled/

4. مراجعة جميع الصفحات/المنشورات التي تم إنشاؤها/تعديلها في آخر 90 يوماً للتحقق من إعدادات الأداة المريبة

الكشف والمراقبة:

5. البحث في قاعدة بيانات WordPress عن أنماط مريبة في post_content: 'onerror='، 'onload='، 'onclick=' في إعدادات الأداة

6. مراقبة سجلات الوصول لطلبات POST إلى /wp-admin/admin-ajax.php مع معاملات elementor

7. تفعيل مكون تسجيل أمان WordPress (مثل Wordfence) لتتبع أنشطة المستخدم

عناصر التحكم التعويضية:

8. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على حمولات XSS في معاملات الأداة

9. تطبيق رؤوس سياسة أمان المحتوى (CSP): Content-Security-Policy: script-src 'self'; object-src 'none'

10. استخدام مكونات أمان WordPress (Sucuri، Wordfence) مع المسح الفوري للبرامج الضارة

11. تنفيذ مراقبة سلامة الملفات الصارمة لمجلد wp-content/plugins/

المدى الطويل:

12. مراقبة قنوات Prime Elementor Addons الرسمية على GitHub للحصول على تصحيحات أمان

13. النظر في مكونات Elementor خفيفة الوزن بديلة مع صيانة أمان نشطة

14. تنفيذ مبدأ الامتياز الأقل للأدوار في WordPress

15. إجراء تدريب على الوعي الأمني للمحررين بشأن مخاطر XSS

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Secure development policy and procedures ECC 2024 A.14.2.5 - Secure development environment ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - User access management ECC 2024 A.13.1.3 - Segregation of networks

🔵 SAMA CSF

SAMA CSF 2.1 - Asset Management and Inventory SAMA CSF 3.2 - Access Control and Authentication SAMA CSF 4.1 - Vulnerability Management SAMA CSF 5.1 - Incident Detection and Response SAMA CSF 6.2 - Third-party Risk Management

🟡 ISO 27001:2022

ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.1 - User endpoint devices ISO 27001:2022 A.8.3 - Access control ISO 27001:2022 A.14.2 - Secure development ISO 27001:2022 A.12.6 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities PCI DSS 6.5.7 - Cross-site scripting (XSS) PCI DSS 7.1 - Limit access to system components by business need to know

🔗 References & Sources 16

🔗

https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomde...

CVE-2026-8677

Introduce Yourself