The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend.
Metrics
Affected Vendors & Products
References
History
Sat, 11 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Leap13
Leap13 premium Addons For Elementor – Powerful Elementor Templates & Widgets Wordpress Wordpress wordpress |
|
| Vendors & Products |
Leap13
Leap13 premium Addons For Elementor – Powerful Elementor Templates & Widgets Wordpress Wordpress wordpress |
Sat, 11 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend. | |
| Title | Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'premium_tooltip_text' Parameter | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-11T03:44:24.452Z
Reserved: 2026-06-12T17:13:30.104Z
Link: CVE-2026-12141
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-11T08:30:03Z