CVE-2026-12141 in Premium Addons for Elementor Plugininfo

Summary

by MITRE • 07/11/2026

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The vulnerability identified in Premium Addons for Elementor represents a critical stored cross-site scripting flaw that undermines the security posture of WordPress installations relying on this popular plugin. This weakness exists within version 4.11.84 and all previous iterations, creating a persistent threat vector that can be exploited by authenticated attackers holding contributor-level privileges or higher. The vulnerability stems from inadequate input sanitization mechanisms applied to the 'premium_tooltip_text' parameter, which fails to properly escape or validate user-supplied content before processing. This oversight creates an environment where malicious actors can embed harmful scripts that persist within the plugin's data storage, awaiting execution in specific contexts rather than immediately affecting all site visitors.

The technical exploitation of this vulnerability occurs through a carefully crafted payload injection that leverages the plugin's internal architecture and hook system. When administrators or users with elevated privileges open affected posts within the Elementor editor interface, the malicious code becomes active through the print_template() method which is registered on the 'elementor/section/print_template' hook. This particular execution point is significant because it operates within the administrative editing environment rather than the public-facing website frontend, making the attack vector more subtle and potentially harder to detect. The vulnerability specifically targets the plugin's template rendering process where raw, unescaped output occurs, allowing attackers to inject arbitrary web scripts that execute in the context of privileged user sessions. This architectural flaw aligns with CWE-79, which classifies cross-site scripting vulnerabilities as a result of insufficient input validation and output escaping.

The operational impact of this vulnerability extends beyond simple script execution, creating opportunities for privilege escalation, data exfiltration, and broader system compromise. Since the attack requires only contributor-level access, it represents an underprivileged threat that can escalate to full administrative control when combined with other exploitation techniques or social engineering approaches. The fact that payloads execute specifically within the Elementor editor interface creates a targeted attack surface where administrators are regularly exposed to potentially compromised content, making this vulnerability particularly dangerous in environments where multiple editors collaborate on content creation. The stored nature of this XSS flaw means that once injected, malicious scripts remain persistent until manually removed from the database or the plugin is updated, providing attackers with extended periods of operational capability.

Mitigation strategies for this vulnerability should focus on immediate patching and architectural improvements to prevent similar issues in future development cycles. WordPress administrators must upgrade to versions beyond 4.11.84 where the input sanitization has been properly implemented to prevent unescaped output in the print_template() method. Organizations should implement additional monitoring for suspicious content injection patterns within their Elementor-based workflows, particularly focusing on tooltip text fields and other user-editable content areas. Security teams should consider implementing Content Security Policy headers as an additional defense-in-depth measure, though this mitigation is not sufficient on its own given the stored nature of the vulnerability. The ATT&CK framework categorizes this as a privilege escalation technique through web application vulnerabilities, specifically leveraging the T1078 credential access sub-technique where attackers establish persistent access through compromised administrative interfaces, making proactive patch management and user access control essential defensive measures.

Responsible

Wordfence

Reservation

06/12/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!