CVE-2026-8613
Description
Stored XSS in aThemes Addons for Elementor (up to 1.1.8) allows authenticated attackers to inject scripts via widget settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in aThemes Addons for Elementor (up to 1.1.8) allows authenticated attackers to inject scripts via widget settings.
Vulnerability
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.1.8. This vulnerability exists due to insufficient input sanitization and output escaping in the title_tag widget setting, specifically affecting the Posts Timeline and Posts Carousel widgets across their default, Banner, and Modern skins. These widgets lack the whitelist validation present in the Posts List widget.
Exploitation
An authenticated attacker with at least contributor-level access can exploit this vulnerability. The attacker needs to inject arbitrary web scripts into the title_tag setting of a vulnerable widget. These scripts will then execute whenever another user accesses a page containing the injected content.
Impact
Successful exploitation allows an attacker to execute arbitrary web scripts in the context of other users' browsers. This can lead to session hijacking, defacement, or redirection to malicious sites, impacting the confidentiality and integrity of user data and the website.
Mitigation
The vulnerability was fixed in version 1.1.9, released on 2026-05-14 [3]. Users should update to version 1.1.9 or later to patch this vulnerability. No workarounds are available for older versions.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.1.8
- Range: <=1.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize and escape user-supplied input in the 'title_tag' widget setting for certain widgets."
Attack vector
An authenticated attacker with at least contributor-level access can inject arbitrary web scripts into pages by exploiting the 'title_tag' setting in vulnerable widgets. This vulnerability affects the Posts Timeline, Posts Carousel (including its default, Banner, and Modern skins), which lack the input validation present in other widgets like the Posts List. When a user views a page containing the injected script, it will execute in their browser.
Affected code
The vulnerability exists in the Posts Timeline and Posts Carousel widgets, specifically in how the 'title_tag' widget setting is handled. The reference write-up indicates that these widgets omit whitelist validation that is correctly applied in the Posts List widget, leading to insufficient input sanitization and output escaping.
What the fix does
The patch, available in version 1.1.9, addresses the vulnerability by implementing proper input sanitization and output escaping for the 'title_tag' widget setting. This ensures that any script code injected by an attacker is neutralized before being rendered on the page, preventing arbitrary script execution and mitigating the stored cross-site scripting risk.
Preconditions
- authAttacker must have at least contributor-level access.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/functions.phpnvd
- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/class-posts-carousel.phpnvd
- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-banner.phpnvd
- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-modern.phpnvd
- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-timeline/class-posts-timeline.phpnvd
- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.9/inc/functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/2e7aed9e-1b56-4ce6-b338-1d9ab80594c3nvd
News mentions
0No linked articles in our index yet.