{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1397", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T21:27:49.825Z", "datePublished": "2026-03-21T03:27:10.035Z", "dateUpdated": "2026-04-08T17:27:24.751Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:24.751Z"}, "affected": [{"vendor": "peacefulqode", "product": "PQ Addons \u2013 Creative Elementor Widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PQ Addons \u2013 Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "PQ Addons \u2013 Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dabe0313-e349-4c87-894b-2612db28dcec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-1.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-2.php#L26"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-1.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-2.php#L26"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "timeline": [{"time": "2026-03-20T15:19:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:57:28.822000Z", "id": "CVE-2026-1397", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:40:12.656Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1397", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:57:28.822000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:57:46.276Z"}}], "cna": {"title": "PQ Addons \u2013 Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "peacefulqode", "product": "PQ Addons \u2013 Creative Elementor Widgets", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:19:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dabe0313-e349-4c87-894b-2612db28dcec?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-1.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-2.php#L26"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-1.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-2.php#L26"}], "descriptions": [{"lang": "en", "value": "The PQ Addons \u2013 Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:24.751Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1397", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:24.751Z", "dateReserved": "2026-01-23T21:27:49.825Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:10.035Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PQ Addons \u2013 Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin PQ Addons \u2013 Creative Elementor Widgets para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de atributos de widget en todas las versiones hasta la 1.0.0, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida insuficiente en el par\u00e1metro html_tag del widget PQ Section Title. Esto permite a atacantes autenticados, con acceso de nivel de colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1397", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:53.550", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-1.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/tags/1.0.0/widgets/section-title/styles/style-2.php#L26"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-1.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/peacefulqode-elementzplus-widgets/trunk/widgets/section-title/styles/style-2.php#L26"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dabe0313-e349-4c87-894b-2612db28dcec?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PQ Addons \u2013 Creative Elementor Widgets", "source": "cna", "vendor": "peacefulqode"}, "product": "pq_addons_\u2013_creative_elementor_widgets", "vendor": "peacefulqode"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:20:40.494892+00:00", "value": {"mitigation_remediation": ["Upgrade PQ Addons \u2013 Creative Elementor Widgets to the latest released version that includes proper input sanitization for the html_tag parameter.", "If an upgrade is unavailable, remove or delete any Section Title widgets that contain user\u2011supplied html_tag content.", "Restrict contributor access or only allow trusted users to edit widgets until the patch is deployed.", "Verify that no stored XSS payloads remain in the database by reviewing widget content before granting broader access.", "Keep WordPress and all plugins up to date and monitor the site for anomalous script injections."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2010Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases up to and including version 1.0.0 of the PQ Addons \u2013 Creative Elementor Widgets plugin. Sites that have installed any of those versions, and that provide contributor or higher level access to users, are potentially exposed.", "description_and_impact": "The PQ Addons \u2013 Creative Elementor Widgets plugin for WordPress allows authenticated users with contributor privileges or higher to submit an invalid html_tag parameter that is stored and later rendered without proper escaping. The stored payload is then executed in the browsers of any user who views the affected page, enabling the attacker to inject arbitrary JavaScript. This can lead to defacement, credential theft, drive\u2011by installation of malware or hijacking of the current user session. The weakness is a classic stored XSS, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity, but the requirement of only contributor\u2011level authentication lowers the practical barrier for exploitation on sites with loose role permissions. No public exploit is currently documented and the vulnerability is not listed in the CISA KEV catalog, yet the lack of input sanitization provides a straightforward attack path. The risk is highest for sites with many contributors or untrusted users, while sites that limit or revoke such permissions can mitigate the threat until a patch is applied."}}}}, "created": "2026-03-23T09:49:49.775331+00:00", "updated": "2026-03-25T14:41:29.392092+00:00", "vendors": ["peacefulqode", "peacefulqode$PRODUCT$pq_addons_\u2013_creative_elementor_widgets", "wordpress", "wordpress$PRODUCT$wordpress"]}