{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28131", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:12.838Z", "datePublished": "2026-02-26T08:33:36.436Z", "dateUpdated": "2026-04-28T16:15:09.215Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "addon-elements-for-elementor-page-builder", "product": "Elementor Addon Elements", "vendor": "WPVibes", "versions": [{"changes": [{"at": "1.14.5", "status": "unaffected"}], "lessThanOrEqual": "1.14.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:43.972Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.<p>This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:09.215Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-14-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Elementor Addon Elements plugin <= 1.14.4 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:56:57.225574Z", "id": "CVE-2026-28131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:39:31.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:56:57.225574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:56:47.379Z"}}], "cna": {"title": "WordPress Elementor Addon Elements plugin <= 1.14.4 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPVibes", "product": "Elementor Addon Elements", "versions": [{"status": "affected", "changes": [{"at": "1.14.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.14.4"}], "packageName": "addon-elements-for-elementor-page-builder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:51:43.972Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-14-4-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.<p>This issue affects Elementor Addon Elements: from n/a through <= 1.14.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:56.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28131", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:39:31.340Z", "dateReserved": "2026-02-25T12:14:12.838Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-26T08:33:36.436Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through <= 1.14.4."}, {"lang": "es", "value": "Vulnerabilidad de inserci\u00f3n de informaci\u00f3n sensible en datos enviados en WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder permite recuperar datos sensibles incrustados. Este problema afecta a Elementor Addon Elements: desde n/a hasta &lt;= 1.14.4."}], "id": "CVE-2026-28131", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-26T09:16:15.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-14-4-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.14.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Elementor Addon Elements", "source": "cna", "vendor": "WPVibes"}, "product": "elementor_addon_elements", "vendor": "wpvibes"}], "analysis": {"en": {"generated_at": "2026-04-15T23:53:35.732978+00:00", "value": {"mitigation_remediation": ["Update the Elementor Addon Elements plugin to the latest version (1.14.5 or later) to remove the vulnerability.", "If an update is not immediately available, disable the Elementor Addon Elements plugin until the fix is released to prevent data exposure.", "Review and sanitize any configuration files or hidden fields that may be inadvertently exposed by the plugin, ensuring sensitive data is not included in outbound responses."], "summary": {"action": "Patch Now", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Elementor Addon Elements plugin from any unsupplied version through version 1.14.4 are affected. The vulnerability exists across all platform configurations that enable the plugin to process and return data to end users, including those that may expose configuration values or user credentials.", "description_and_impact": "The issue involves the accidental insertion of sensitive information into data sent by the WPVibes Elementor Addon Elements plugin. Attackers who can interact with the plugin\u2019s outputs can retrieve confidential data that was never intended for public exposure. This is classed as a CWE\u2011201 vulnerability, which describes insecure data handling that results in information disclosure. No arbitrary code execution or denial of service is possible; the impact is limited to the unintended reveal of sensitive data, potentially compromising application integrity or user privacy.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to trigger the plugin\u2019s data output mechanism\u2014most likely through normal user interactions or crafted HTTP requests\u2014to read the exposed data. Because the data is publicly sent by the plugin, once the exploit is known, exposure can affect any user of the compromised site. The lack of remote code execution limits the damage vector, but confidentiality is still at risk."}}}}, "created": "2026-02-26T13:09:32.490019+00:00", "updated": "2026-04-16T00:00:14.147375+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpvibes", "wpvibes$PRODUCT$elementor_addon_elements"]}