CVE-2026-13710 in Jeg Kit for Elementor Plugininfo

Summary

by MITRE • 07/10/2026

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sg_body_description' parameter in versions up to, and including, 3.2.6. This is due to insufficient input sanitization and output escaping on the description attribute in the render_body() method of the Image_Box_View class — every other attribute used by the method is wrapped in esc_attr(), but the description value is concatenated directly into HTML body context. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The Jeg Kit for Elementor plugin represents a popular suite of addons designed to extend the functionality of the Elementor page builder within WordPress environments. This particular vulnerability affects versions up to and including 3.2.6, where a stored cross-site scripting flaw exists in the Image Box widget implementation. The security issue stems from inadequate input sanitization practices within the plugin's codebase, specifically in how user-provided content is handled during the rendering process.

The technical flaw manifests in the Image_Box_View class where the render_body() method processes user input without proper escaping of the 'sg_body_description' parameter. While all other attributes in this method correctly utilize esc_attr() for output escaping, the description field is directly concatenated into HTML context without appropriate sanitization measures. This oversight creates a persistent XSS vector that allows attackers to inject malicious scripts that will execute whenever affected pages are rendered. The vulnerability specifically targets the description attribute which is intended to contain user-generated content for display purposes within the widget's body section.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious JavaScript code into the plugin's Image Box widget descriptions. Once injected, these scripts become persistent elements stored within the WordPress database and will execute whenever any user accesses pages containing the vulnerable widget. This creates a significant risk for administrators and other privileged users who may view affected pages, as the malicious code can potentially steal session cookies, redirect users to malicious sites, or perform other harmful actions. The attack requires only minimal privileges typically granted to contributors, making it particularly concerning for WordPress installations where multiple user roles exist.

This vulnerability aligns with CWE-79 which defines Cross-Site Scripting as a critical security weakness occurring when untrusted data is incorporated into web pages without proper validation or escaping. It also maps to ATT&CK technique T1566.001 which describes spearphishing via social media, and more broadly to T1059.007 for script injection techniques. The impact extends beyond simple content manipulation as it enables attackers to potentially escalate privileges within the WordPress environment, access sensitive user data, or establish persistent backdoors through client-side attacks. Organizations using this plugin should immediately implement mitigations including updating to patched versions and implementing additional input validation measures.

The exploitation process requires attackers to navigate to the Image Box widget configuration interface and insert malicious script code into the description field. The injected content is then stored persistently within the WordPress database, making it available for execution whenever the affected pages are accessed by any user with appropriate permissions. This makes the vulnerability particularly dangerous as it can remain undetected for extended periods while continuously serving malicious payloads to unsuspecting users who interact with vulnerable pages containing the compromised widgets.

Mitigation strategies should include immediate patching of the plugin to version 3.2.7 or later where the sanitization issue has been addressed. Additionally, administrators should implement input validation at multiple levels including database storage, rendering output, and user interface controls. Regular security audits of plugin code should be conducted to identify similar patterns of insufficient escaping or sanitization. Network monitoring solutions can help detect anomalous script execution patterns that may indicate exploitation attempts. User role management should also be reviewed to ensure appropriate access controls are in place for widget configuration interfaces, limiting the scope of potential attackers who could exploit this vulnerability.

Responsible

Wordfence

Reservation

06/29/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!