Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Heading Widget
Description
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request with this parameter set to ‘script’ and combined with a ‘title’ parameter containing JavaScript, which will then be executed when the saved page is viewed or previewed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated stored XSS in Elementor < 3.1.4 via manipulated heading widget 'header_size' parameter allows Contributor+ users to inject arbitrary JavaScript.
Vulnerability
The Elementor Website Builder WordPress plugin prior to version 3.1.4 contains a stored cross-site scripting (XSS) vulnerability in the heading widget (includes/widgets/heading.php). The widget accepts a header_size parameter intended to specify an HTML tag from a fixed set, but the server-side validation is insufficient. An authenticated user with Contributor or higher permissions can craft a save_builder request with header_size set to script and a title parameter containing malicious JavaScript, which is then stored and executed when the saved page is viewed or previewed [1].
Exploitation
An attacker must have a WordPress user account with at least Contributor-level permissions, which allows them to edit or create posts/pages. The attacker submits a modified save_builder AJAX request, overriding the expected header_size value with script and injecting arbitrary JavaScript code into the title parameter. The server stores this input without proper sanitization, and the malicious script is rendered in the browser of any user who visits or previews the page [1].
Impact
Successful exploitation results in stored cross-site scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the context of the affected WordPress site. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as administrator cookies. The attack is persistent across visits until the malicious content is removed [1].
Mitigation
The flaw is fixed in Elementor version 3.1.4, released on or after 2021-03-17 [1]. Users should update the plugin to version 3.1.4 or later immediately. No workaround is documented; users unable to update should restrict Contributor and higher roles to trusted users only. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Elementor Website Builder plugindescription
- Range: <3.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side validation of the 'header_size' parameter allows setting an arbitrary HTML tag, enabling stored XSS."
Attack vector
An authenticated user with Contributor or above permissions sends a modified 'save_builder' request to the Elementor editor. The request sets the 'header_size' parameter to 'script' and includes malicious JavaScript in the 'title' parameter [ref_id=1]. When the saved page is viewed or previewed, the injected script executes in the context of the victim's browser [CWE-79].
Affected code
The vulnerable widget is located in includes/widgets/heading.php, which accepts a 'header_size' parameter for the heading HTML tag [ref_id=1]. The element control defines a fixed set of allowed tags, but the server-side save handler does not enforce this restriction.
What the fix does
The advisory states the vulnerability is fixed in Elementor version 3.1.4 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds server-side validation to ensure the 'header_size' parameter only accepts the allowed set of HTML tags (e.g., h1-h6, div, span, p) and rejects values like 'script'.
Preconditions
- authAttacker must have Contributor-level or higher WordPress user role.
- inputAttacker must send a crafted 'save_builder' request with 'header_size' set to 'script' and malicious JavaScript in the 'title' parameter.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/b72bd13d-c8e2-4347-b009-542fc0fe21bbmitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.