{"id":60969,"date":"2026-06-09T05:23:53","date_gmt":"2026-06-09T05:23:53","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=60969"},"modified":"2026-06-09T05:23:53","modified_gmt":"2026-06-09T05:23:53","slug":"prime-elementor-addons-133-authenticated-contributor-stored-cross-site-scripting-via-widget-html-tag","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=60969","title":{"rendered":"Prime Elementor Addons <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings_CVE-2026-8677"},"content":{"rendered":"

{“lastseen”:””,”description”:”The Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., ‘img src=x onerror=alert(document.domain)’) contains no HTML angle brackets and therefore passes through Elementor’s wp_kses_post() filter unchanged at save time.”,”published”:”2026-06-09T08:29:39.999Z”,”modified”:”2026-06-09T08:29:39.999Z”,”type”:”cve”,”title”:”Prime Elementor Addons \\u003c= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings”,”source”:”Wordfence”,”references”:”https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/95136083-58d7-4ee4-b894-6910c3992d20?source=cve\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/InfoBox.php#L1645\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/InfoBox.php#L1623\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/Counter.php#L1079\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/CallToAction.php#L1631\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/TeamMember.php#L2638\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Traits\/PostGridRenderer.php#L164\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.2\/includes\/Widgets\/AdvancedAccordion.php#L1396\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/InfoBox.php#L1645\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/InfoBox.php#L1623\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/Counter.php#L1079\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/CallToAction.php#L1631\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/TeamMember.php#L2638\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Traits\/PostGridRenderer.php#L164\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.2.0\/includes\/Widgets\/AdvancedAccordion.php#L1396\\nhttps:\/\/plugins.trac.wordpress.org\/changeset?old_path=unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.3\\u0026new_path=unlimited-elementor-inner-sections-by-boomdevs\/tags\/1.3.4″,”id”:”CVE-2026-8677″,”bulletinFamily”:””,”cwe”:[“CWE-79″],”cvelist”:null,”sourceData”:”wpmessiah Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages 0″,”sourceHref”:””,”cvss”:{“score”:6.4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages”,”version”:”0″,”vendor”:”wpmessiah”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”The Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,46,12,21,13,7,11,5],"class_list":["post-60969","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-64","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nPrime Elementor Addons<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=60969\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Prime Elementor Addons\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”The Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=60969\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-09T05:23:53+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Prime Elementor Addons\",\"datePublished\":\"2026-06-09T05:23:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969\"},\"wordCount\":3,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-6.4\",\"exploit\",\"MEDIUM\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=60969#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969\",\"name\":\"Prime Elementor Addons\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-09T05:23:53+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=60969\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=60969#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Prime Elementor Addons\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Prime Elementor Addons","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=60969","og_locale":"en_US","og_type":"article","og_title":"Prime Elementor Addons","og_description":"{“lastseen”:””,”description”:”The Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings...","og_url":"https:\/\/zero.redgem.net\/?p=60969","og_site_name":"zero redgem","article_published_time":"2026-06-09T05:23:53+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=60969#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=60969"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Prime Elementor Addons","datePublished":"2026-06-09T05:23:53+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=60969"},"wordCount":3,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-6.4","exploit","MEDIUM","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=60969#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=60969","url":"https:\/\/zero.redgem.net\/?p=60969","name":"Prime Elementor Addons","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-09T05:23:53+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=60969#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=60969"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=60969#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Prime Elementor Addons"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/60969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60969"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/60969\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}