Elementor < 3.1.2 - Authenticated Stored Cross-Site Scripting (XSS) in Image Box Widget
Description
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified ‘save_builder’ request containing JavaScript in the ‘title_size’ parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elementor <3.1.4 image box widget has a stored XSS vulnerability via unsanitized 'title_size' parameter, exploitable by Contributor+ users.
Vulnerability
The Elementor Website Builder plugin for WordPress prior to version 3.1.4 contains a stored cross-site scripting (XSS) vulnerability in the image box widget (includes/widgets/image-box.php). The 'title_size' parameter accepts user input but is not properly sanitized or escaped. Although the element control restricts allowed HTML tags, an attacker with Contributor-level permissions or higher can bypass this by sending a modified 'save_builder' request with malicious JavaScript in the 'title_size' parameter. [1]
Exploitation
An attacker must have at least Contributor role in WordPress. They craft a request to the 'save_builder' endpoint with arbitrary JavaScript code in the 'title_size' parameter. The plugin does not filter or escape this input, so the payload is stored. When a page containing the image box widget is viewed or previewed, the JavaScript executes in the context of the victim's browser. [1]
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the browser of any user visiting the affected page. This can result in session hijacking, defacement, or redirection to malicious sites. The attacker gains the ability to perform actions on behalf of the victim within the WordPress admin, limited by the victim's privileges. [1]
Mitigation
The vulnerability is fixed in Elementor version 3.1.4, released on 2021-03-17. Users should update to version 3.1.4 or later. For sites running an older version, the only workaround is to restrict Contributor and higher roles to trusted users, as no plugin-level workaround is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Elementor Website Builder plugindescription
- Range: <3.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output escaping on the title_size parameter in the image box widget allows injection of arbitrary JavaScript."
Attack vector
An attacker with Contributor-level or higher permissions sends a modified `save_builder` request containing JavaScript payloads in the `title_size` parameter [ref_id=1]. Although the element control lists a fixed set of allowed HTML tags, the server-side code does not validate the parameter against that list, so arbitrary values pass through unfiltered. The unsanitized value is then output without escaping, causing the injected JavaScript to execute in the browser of any user who views or previews the saved page [ref_id=1]. This is a classic stored cross-site scripting (XSS) attack.
Affected code
The vulnerable widget is `includes/widgets/image-box.php` in the Elementor Website Builder plugin. The `title_size` parameter accepts user-supplied HTML tag names but is not filtered or escaped before being output.
What the fix does
The advisory states the vulnerability is fixed in version 3.1.4 of the Elementor plugin [ref_id=1]. No patch diff is provided in the bundle, but the fix presumably adds server-side validation of the `title_size` parameter against the allowed HTML tags and/or escapes the output before rendering it in the page.
Preconditions
- authAttacker must have at least Contributor-level permissions on the WordPress site
- inputAttacker must be able to send a modified save_builder request to the server
- networkThe saved page must be viewed or previewed by a victim to trigger the stored XSS
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/2f66efd9-7d55-4f33-9109-3cb583a0c309mitrex_refsource_CONFIRM
- www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.