CVE-2026-11390 in News Kit Addons for Elementor Plugininfo

Summary

by MITRE • 07/14/2026

The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an attacker to intercept and modify the elementor_ajax AJAX save request in order to bypass the client-side SELECT control restrictions and submit arbitrary tag-name values.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The News Kit Addons For Elementor plugin presents a significant security vulnerability classified as stored cross-site scripting that affects versions through 1.4.6. This flaw resides within the plugin's handling of Site Logo Title and Single Author Box widgets, creating an avenue for malicious code execution that can impact all users of affected installations. The vulnerability stems from inadequate input sanitization mechanisms and insufficient output escaping practices that fail to properly validate or escape user-supplied data before it is stored in the database and subsequently rendered on web pages.

The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level privileges or higher, which represents a concerning threat vector since many WordPress installations grant contributor roles to users who may not fully understand the security implications of their actions. Attackers can leverage this privilege escalation by intercepting and modifying elementor_ajax AJAX save requests through man-in-the-middle techniques or other network interception methods. The attack bypasses client-side SELECT control restrictions by submitting arbitrary tag-name values that would normally be restricted, allowing malicious scripts to be stored in the database where they persist until explicitly removed.

This vulnerability directly maps to CWE-79, which defines Cross-Site Scripting as a condition where an application includes untrusted data in web pages without proper validation or escaping. The stored nature of this XSS vulnerability means that malicious payloads are permanently saved within the plugin's data storage mechanisms and executed whenever affected pages are accessed by any user, including administrators with elevated privileges. The attack chain involves three critical phases: initial access through contributor-level authentication, request interception and modification to bypass client-side controls, and finally payload execution when legitimate users view pages containing the malicious code.

The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform session hijacking, steal user credentials, redirect victims to malicious sites, or even execute more sophisticated attacks such as privilege escalation within the WordPress environment. The fact that this affects core Elementor widgets means that the attack surface is broad and can potentially compromise multiple pages throughout a website simultaneously. Security practitioners should note that this vulnerability represents a particularly dangerous class of issue because it requires minimal user interaction beyond normal content creation activities, making detection and mitigation more challenging.

Mitigation strategies must address both immediate protection and long-term security hardening measures for affected installations. The most critical recommendation involves upgrading to the latest version of the plugin where the XSS vulnerability has been patched through proper input sanitization and output escaping implementations. Organizations should also implement network monitoring solutions to detect unusual AJAX request patterns that might indicate interception attempts, while establishing strict access controls to limit contributor-level privileges to trusted users only. Additionally, implementing Content Security Policy headers can provide an additional layer of protection by restricting the sources from which scripts can be executed on affected pages. The vulnerability demonstrates the importance of following secure coding practices as outlined in OWASP Top Ten and NIST cybersecurity guidelines, particularly emphasizing input validation and output encoding as fundamental defense mechanisms against web application vulnerabilities.

Responsible

Wordfence

Reservation

06/05/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!