CVE-2026-15299 in Animation Addons for Elementor Plugininfo

Summary

by MITRE • 07/10/2026

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page (the Weather widget requires an OpenWeatherMap API key to reach the vulnerable output, which is the normal operational state for sites using this widget).

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in the Animation Addons for Elementor plugin represents a critical stored cross-site scripting weakness that affects all versions up to and including 2.6.3. This security flaw resides within the Weather widget functionality where two specific parameters 'weather_style' and 'move_direction' are improperly handled during output rendering. The technical implementation fails to apply proper output escaping mechanisms when inserting these parameter values into HTML class attributes, creating an avenue for malicious code execution. The vulnerability is particularly concerning because it operates through a legitimate plugin feature that requires an OpenWeatherMap API key for normal operation, meaning the attack vector can be exploited in typical usage scenarios without requiring unusual conditions.

The core technical flaw manifests in the widgets/weather.php file at line 1246 within the render() function where the insufficient esc_attr() output escaping allows attacker-controlled values to be directly inserted into HTML attributes. This primitive security oversight creates a persistent XSS vulnerability that can be exploited through Elementor's AJAX-based page builder interface. The vulnerability is amplified by Elementor's lack of server-side validation for SELECT control values during the save_builder AJAX request process, which means that the plugin accepts any submitted value without proper sanitization or verification against predefined acceptable options. This architectural weakness allows authenticated attackers with Contributor-level permissions or higher to craft and submit malicious payloads that get stored in the _elementor_data post meta field.

The operational impact of this vulnerability extends beyond simple script injection as it provides attackers with persistent access to affected websites through legitimate user interactions. Every visit to a page containing the vulnerable Weather widget triggers the execution of stored malicious code, making this a particularly dangerous threat that can affect all visitors without requiring any special actions from them. The requirement for an OpenWeatherMap API key does not mitigate the risk since this is standard operational configuration for sites using the widget, meaning legitimate users are exposed to potential exploitation. This vulnerability affects the entire WordPress ecosystem where the plugin is installed and actively used, creating widespread potential for malicious activity including session hijacking, data exfiltration, and further attack propagation.

Mitigation strategies should focus on immediate remediation through plugin updates to versions that properly implement output escaping for all user-controllable parameters. Security practitioners should also consider implementing additional monitoring of Elementor's AJAX endpoints for unusual parameter submissions and establish strict validation policies for widget configurations. The vulnerability aligns with CWE-79 (Cross-site Scripting) and can be categorized under ATT&CK technique T1566 (Phishing) when used for credential theft or T1059 (Command and Scripting Interpreter) for executing malicious payloads. Organizations should also review their user permission structures to limit contributor-level access to Elementor functionality where possible, though the most effective long-term solution remains patching the vulnerability through official plugin updates that address the root cause of insufficient output escaping in the render function.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!