Elementor Addon Elements <= 1.13.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and eae_slider_animation Parameters
Description
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ and 'eae_slider_animation' parameters in all versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Elementor Addon Elements plugin via unsanitized 'id' and 'eae_slider_animation' parameters affects all versions up to 1.13.5.
Vulnerability
The Elementor Addon Elements plugin for WordPress (versions up to and including 1.13.5) is susceptible to Stored Cross-Site Scripting (XSS) via the 'id' and 'eae_slider_animation' parameters. Insufficient input sanitization and output escaping allow arbitrary script injection. The plugin is available on the WordPress plugin repository and includes over 40 widgets for Elementor [1].
Exploitation
An authenticated attacker with at least Contributor-level access can inject malicious scripts through the affected parameters. The crafted payload is stored on the server and triggers when any user, including administrators, visits the compromised page. No additional chaining of vulnerabilities is required beyond standard WordPress post editing capabilities.
Impact
Successful exploitation enables the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the WordPress site and its users.
Mitigation
The plugin maintainer released version 1.14.5, which fixes the vulnerability. Users are urged to update to this or any later version. The latest tested WordPress version is 6.9.4 [1]. No workaround is available for unpatched installations; immediate update is recommended.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.13.5
- wpvibes/Addon Elements for Elementor (formerly Elementor Addon Elements)v5Range: 0
Patches
1r3107074Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-text/widgets/animated-text.phpmitre
- plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.phpmitre
- plugins.trac.wordpress.org/changeset/3107074mitre
- plugins.trac.wordpress.org/changeset/3107074mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/ecfc1466-41d2-498b-8210-c67e8550f5b8mitre
News mentions
0No linked articles in our index yet.