CVE-2026-22518

Vulnerability

Overview

CVE-2026-22518 is a DOM-Based Cross-Site Scripting (XSS) vulnerability found in the X Addons for Elementor WordPress plugin, affecting versions from n/a through 1.0.23. The root cause is improper neutralization of user input during web page generation, which allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser [1].

Exploitation

Prerequisites

Exploitation requires user interaction — a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially crafted form. The attack is DOM-based, meaning the payload is processed client-side without being stored on the server, which can bypass some server-side filters that only check server-side input [1].

Impact

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute when any visitor accesses the affected site, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

The vendor has released a fix; users should update the X Addons for Elementor plugin to version 1.0.24 or later. As an immediate action, updating the plugin is recommended. If updating is not possible, users should contact their hosting provider or web developer for assistance [1].