Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Icon Box Widget
Description
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elementor < 3.1.4 has a stored XSS in the icon box widget's 'title_size' parameter, allowing Contributor+ users to inject JavaScript.
Vulnerability
In the Elementor Website Builder plugin for WordPress versions before 3.1.4, the icon box widget (found in includes/widgets/icon-box.php) accepts a title_size parameter. Although the element control normally restricts the parameter to a fixed set of HTML tags, a user with Contributor-level access or higher can craft a modified save_builder request that includes arbitrary JavaScript within the title_size value. The plugin does not sanitize or escape this parameter, leading to stored cross-site scripting (XSS) [1].
Exploitation
An attacker must have at least Contributor permissions on a WordPress site running a vulnerable version of Elementor (before 3.1.4). The attacker sends a specially crafted save_builder request, placing malicious JavaScript in the title_size field of the icon box widget. The payload is then stored in the page content. When any user (including administrators) views or previews the affected page, the injected script executes in their browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a logged-in user's session when they view the compromised page. This can lead to theft of session cookies, unauthorized actions performed on behalf of the victim, defacement, or redirection to malicious sites. The attack achieves stored XSS, which is persistent and can affect multiple users [1].
Mitigation
The Elementor team fixed this vulnerability in version 3.1.4. All users should update to Elementor 3.1.4 or later immediately. No other workaround is available from the references; site administrators should also review and restrict Contributor-level permissions if needed [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Elementor Website Builder plugindescription
- Range: <3.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output escaping on the 'title_size' parameter in the icon box widget allows injection of arbitrary HTML/JavaScript."
Attack vector
An authenticated user with Contributor or higher permissions sends a modified 'save_builder' request containing JavaScript payloads in the 'title_size' parameter [ref_id=1]. The Elementor icon box widget (includes/widgets/icon-box.php) accepts this parameter and, although the element control lists a fixed set of allowed HTML tags, the server-side code does not validate or sanitize the input [ref_id=1]. The unsanitized value is then output without escaping, so when the saved page is viewed or previewed, the injected JavaScript executes in the context of the victim's browser [ref_id=1].
Affected code
The vulnerable code resides in the icon box widget at includes/widgets/icon-box.php [ref_id=1]. The 'title_size' parameter is accepted from user input but is not filtered or escaped before being output [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in Elementor version 3.1.4 [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds server-side validation of the 'title_size' parameter against the allowed set of HTML tags and/or applies proper output escaping before rendering the value in the page. Users should update to version 3.1.4 or later to remediate the issue.
Preconditions
- authAttacker must have Contributor-level or higher permissions on the WordPress site.
- inputAttacker must send a modified 'save_builder' request containing a JavaScript payload in the 'title_size' parameter.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/ef23df6d-e265-44f6-bb94-1005b16d34d9mitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.