CVE-2026-1397 in PQ Addons Plugin
Summary
by MITRE • 03/21/2026
The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The PQ Addons – Creative Elementor Widgets plugin presents a significant security vulnerability classified as CVE-2026-1397, affecting all versions up to and including 1.0.0. This vulnerability manifests as a stored cross-site scripting flaw within the PQ Section Title widget, specifically targeting the html_tag parameter. The flaw represents a critical weakness in the plugin's input validation and output escaping mechanisms, creating an avenue for malicious code injection that can persist across user sessions. The vulnerability's impact is particularly concerning given that it requires only contributor-level access or higher, making it exploitable by users who already possess some degree of administrative privileges within the WordPress environment.
The technical nature of this vulnerability stems from inadequate sanitization of user inputs and insufficient escaping of output data within the plugin's widget implementation. When administrators or contributors utilize the PQ Section Title widget and provide malicious input through the html_tag parameter, the plugin fails to properly validate or sanitize this input before storing it within the WordPress database. This stored malicious content remains dormant until accessed by other users, at which point the injected scripts execute in the context of the victim's browser session. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws, specifically addressing the improper handling of untrusted data in web applications. This weakness enables attackers to manipulate the plugin's functionality to serve as a vector for executing arbitrary scripts.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within the WordPress environment. Once a malicious script is injected through the vulnerable widget, it can potentially harvest user credentials, redirect users to malicious sites, or perform other malicious activities that compromise the integrity of the entire WordPress installation. The fact that this vulnerability requires only contributor-level access makes it particularly dangerous, as it allows attackers who have gained access to user accounts with moderate privileges to escalate their influence within the system. This aligns with ATT&CK technique T1059.001 which covers command and scripting interpreter, specifically focusing on the execution of malicious scripts in web applications. The stored nature of the XSS vulnerability means that the attack persists even after the initial injection, making it difficult to detect and remove without comprehensive database cleanup.
Mitigation strategies for CVE-2026-1397 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Administrators must ensure that all users with contributor-level access or higher are properly vetted and that appropriate access controls are maintained to limit the potential impact of such vulnerabilities. The recommended approach includes implementing robust input validation that filters and sanitizes all user-provided data before storage, combined with proper output escaping techniques that prevent malicious content from executing when rendered in web pages. Additionally, organizations should consider implementing web application firewalls and regular security audits to detect and prevent similar vulnerabilities from being exploited. Security monitoring should include database scanning for stored malicious content and user access logging to identify potential unauthorized modifications to plugin widgets. The vulnerability highlights the critical importance of input validation and output escaping practices in web application development, particularly within content management systems where user-generated content processing is common.