CVE-2026-39702

Vulnerability

Overview

The Animation Addons for Elementor WordPress plugin, versions 2.6.1 and below, contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw resides in the animation-addons-for-elementor plugin and can be triggered without authentication, though successful exploitation requires user interaction [1].

Exploitation

Details

An attacker can craft a malicious link or page that, when visited by an authenticated administrator or editor, injects arbitrary JavaScript into the DOM [1]. The vulnerability is classified as DOM-based XSS, meaning the payload executes in the browser context without being stored on the server [1]. The CVSS v3 base score of 6.5 reflects the medium severity, with the attack vector being network-based and requiring low privileges but user interaction [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's session, potentially leading to redirects, ad injections, or other HTML payloads that affect site visitors [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vendor has not released a patched version beyond 2.6.1; users are strongly advised to update the plugin immediately if a newer version becomes available [1]. As a workaround, site administrators can restrict plugin usage or employ web application firewalls, or consult their hosting provider for additional security measures [1].