{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22518", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:43.226Z", "datePublished": "2026-01-08T16:21:08.373Z", "dateUpdated": "2026-04-28T16:14:46.679Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "x-addons-elementor", "product": "X Addons for Elementor", "vendor": "pencilwp", "versions": [{"lessThanOrEqual": "1.0.23", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:04.516Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.<p>This issue affects X Addons for Elementor: from n/a through <= 1.0.23.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.23."}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.679Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress X Addons for Elementor plugin <= 1.0.23 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T20:12:35.202727Z", "id": "CVE-2026-22518", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:12:45.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T20:12:35.202727Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T20:12:41.384Z"}}], "cna": {"title": "WordPress X Addons for Elementor plugin <= 1.0.23 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "pencilwp", "product": "X Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.23"}], "packageName": "x-addons-elementor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:51.127Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.23.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.<p>This issue affects X Addons for Elementor: from n/a through <= 1.0.23.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.722Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22518", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:03.722Z", "dateReserved": "2026-01-07T13:44:43.226Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T16:21:08.373Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.23."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('Cross-site Scripting') vulnerabilidad en pencilwp X Addons for Elementor permite XSS basado en DOM. Este problema afecta a X Addons for Elementor: desde n/a hasta 1.0.23."}], "id": "CVE-2026-22518", "lastModified": "2026-04-23T15:36:37.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:51.810", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:15:28.860605+00:00", "value": {"mitigation_remediation": ["Upgrade the X Addons for Elementor plugin to the latest version (1.0.24 or newer).", "If an upgrade is not immediately possible, disable or delete the plugin from the WordPress installation.", "Implement a strict Content Security Policy that restricts script sources to trusted origins, which can mitigate the impact of any remaining XSS flaws."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting in the WordPress X Addons for Elementor plugin allows arbitrary script execution by end users"}, "threat_synthesis": {"affected_systems": "The affected vendor is pencilwp, product X Addons for Elementor. All releases up to and including version 1.0.23 are impacted; the vulnerability is present from the initial release through 1.0.23.", "description_and_impact": "The vulnerability is a DOM\u2011based Cross\u2011Site Scripting flaw caused by improper neutralization of user input during web page generation. When a malicious query string or input value is processed by the X Addons for Elementor plugin, it can inject arbitrary JavaScript that runs in the context of a visitor\u2019s browser. This enables attackers to perform session hijacking, defacement, phishing, or downstream attacks without needing to exploit server\u2011side code.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity. Based on the description, the likely attack vector is a client\u2011side exploitation requiring victim interaction with a crafted URL or malicious input. The EPSS score is under 1% and the CVE is not listed in the CISA KEV catalog, indicating a low probability of exploitation in the wild. Attackers would need to entice a victim to load a malicious link or provide input that the plugin processes, after which arbitrary JavaScript can execute in the visitor\u2019s browser. This path requires no server\u2011side compromise and relies solely on the browser context of the exposed site."}}}}, "created": "2026-01-09T13:24:33.551269+00:00", "updated": "2026-04-28T18:15:37.379912+00:00", "vendors": ["pencilwp", "pencilwp$PRODUCT$x_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}