CVE-2026-39703

Root

Cause

The WPBITS Addons For Elementor Page Builder plugin for WordPress fails to properly neutralize user input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability. Versions from n/a through 1.8.1 are affected [1]. The wpbits-addons-for-elementor plugin does not sanitize or escape certain inputs before storing them, enabling attackers to inject persistent malicious scripts [1].

Exploitation

An attacker with low-level privileges can inject arbitrary HTML and JavaScript payloads into the page builder elements. When a privileged user (such as an admin) later views or edits the affected content, the stored payload executes in their browser. User interaction is required — the victim must perform an action like clicking a link or submitting a form, but the stored nature of the XSS makes this likely in normal workflows [1]. No authentication beyond a subscriber role is needed to inject the payload [1].

Impact

Successful exploitation allows the attacker to inject scripts that can redirect visitors, display advertisements, steal session cookies, or perform other malicious actions in the context of the victim's browser. Because the XSS is stored, any visitor to the affected page will execute the injected script, potentially compromising the entire site's integrity and user trust [1].

Mitigation

The vendor has not released a patched version at the time of publication; the vulnerability affects all versions up to and including 1.8.1. The recommended action is to update the plugin as soon as a patch becomes available. If immediate updating is not possible, site administrators should restrict contributor-level access and review any custom Elementor widgets for untrusted input. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date [1].