{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2600", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-16T20:54:31.358Z", "datePublished": "2026-04-04T07:41:57.948Z", "dateUpdated": "2026-04-08T16:51:11.732Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:11.732Z"}, "affected": [{"vendor": "roxnor", "product": "ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c33c640-0876-4b07-829e-35cae445b420?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468265/elementskit-lite/trunk/widgets/tab/tab.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "knani alaaeddine"}], "timeline": [{"time": "2026-01-22T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-16T21:09:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:37:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:29:50.905848Z", "id": "CVE-2026-2600", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:41:39.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2600", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:29:50.905848Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:30:09.081Z"}}], "cna": {"title": "ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget", "credits": [{"lang": "en", "type": "finder", "value": "knani alaaeddine"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-22T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-16T21:09:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:37:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c33c640-0876-4b07-829e-35cae445b420?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468265/elementskit-lite/trunk/widgets/tab/tab.php"}], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:11.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2600", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:11.732Z", "dateReserved": "2026-02-16T20:54:31.358Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:41:57.948Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-2600", "lastModified": "2026-04-24T18:13:28.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:06.370", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3468265/elementskit-lite/trunk/widgets/tab/tab.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c33c640-0876-4b07-829e-35cae445b420?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor", "source": "cna", "vendor": "roxnor"}, "product": "elementskit_elementor_addons_\u2013_advanced_widgets_&_templates_addons_for_elementor", "vendor": "roxnor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T11:51:30.970183+00:00", "value": {"mitigation_remediation": ["Check the current ElementsKit plugin version on the WordPress dashboard.", "If the version is 3.7.9 or earlier, update the plugin to 3.8.0 or newer as soon as possible.", "Verify that the tab widget no longer accepts or displays malicious scripts after the update.", "Consider revoking contributor or higher-level access from untrusted users until the update is applied, or add a double\u2011check on tab titles before saving.", "Monitor site activity and error logs for any attempts to inject scripts after the patch.", "If an update cannot be applied immediately, disable or remove the Simple Tab widget from publicly accessible pages until a fix is available."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The impacted product is ElementsKit Elementor Addons \u2013 Advanced Widgets & Templates Addons for Elementor, supplied by roxnor. All releases up to and including version 3.7.9 are vulnerable. Versions 3.8.0 and newer contain the fix and therefore are not affected.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in the ElementsKit Elementor Addons and Templates plugin for WordPress. The short\u2011tab widget accepts an \"ekit_tab_title\" value that is stored without proper sanitization or escaping. When a page containing the tab is viewed by any user, the injected script runs in their browser, enabling the attacker to steal credentials, perform actions on the victim\u2019s behalf, or compromise site integrity. The weakness is described by CWE\u201179: Improper Neutralization of Input During Web Page Generation.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting low current exploitation prevalence. However, the flaw requires only authenticated contributor access, a privilege commonly granted to site editors, and affects any visitor who views the malicious tab. Consequently, an attacker with contributor rights can compromise user sessions and the site\u2019s reputation with minimal effort."}}}}, "created": "2026-04-06T20:27:41.703023+00:00", "updated": "2026-04-06T22:21:00.609088+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$elementskit_elementor_addons_\u2013_advanced_widgets_&_templates_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}