CVE-2026-1397 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the PQ Addons – Creative Elementor Widgets plugin for WordPress. The vulnerability exists in all versions up to and including 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This security flaw enables authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or further attacks against site visitors.
Critical Impact
Authenticated attackers with contributor privileges can inject persistent malicious JavaScript that executes in the browsers of all users viewing affected pages, enabling session hijacking and phishing attacks.
Affected Products
- PQ Addons – Creative Elementor Widgets plugin for WordPress version 1.0.0 and earlier
- WordPress sites using the PQ Section Title widget with vulnerable versions
- Elementor-based WordPress installations with the peacefulqode-elementzplus-widgets plugin
Discovery Timeline
- 2026-03-21 - CVE-2026-1397 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-1397
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability stems from improper handling of user-supplied input in the PQ Section Title widget component of the PQ Addons plugin. When users with contributor-level permissions or above create or edit content using the Section Title widget, the html_tag parameter accepts arbitrary input without proper sanitization. The widget renders this parameter directly into the page HTML without adequate output escaping, allowing attackers to break out of the intended HTML context and inject malicious script content.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). Unlike reflected XSS attacks that require social engineering to deliver malicious payloads, this stored variant persists the malicious script within the WordPress database. Every subsequent page load retrieves and executes the injected payload, significantly amplifying the attack's impact and reach.
Root Cause
The root cause of this vulnerability lies in the insufficient input validation and output escaping mechanisms within the Section Title widget implementation. Specifically, the vulnerable code paths are located in:
- widgets/section-title/styles/style-1.php at line 20
- widgets/section-title/styles/style-2.php at line 26
These files accept the html_tag parameter from widget attributes and render it directly into the HTML output without properly escaping special characters or validating against an allowlist of acceptable HTML tag values. WordPress provides sanitization functions like esc_html(), esc_attr(), and wp_kses() specifically to prevent such issues, but these protections were not adequately implemented in the affected code paths.
Attack Vector
The attack exploits the network-accessible WordPress administrative interface. An attacker who has obtained or been granted contributor-level access to a WordPress installation can navigate to the page or post editor, add or modify a PQ Section Title widget, and inject malicious JavaScript through the html_tag attribute. Since the payload is stored in the database and rendered server-side, the malicious script executes in the browser context of any user who views the affected page.
The attack requires low privileges (contributor access) and no user interaction beyond normal page viewing. The cross-site nature of the vulnerability means scripts execute with the privileges of the viewing user, potentially allowing attackers to escalate to administrative access if an admin views the poisoned page. For detailed technical analysis of the vulnerable code paths, refer to the Wordfence Vulnerability Analysis and the WordPress Plugin Style 1 Code.
Detection Methods for CVE-2026-1397
Indicators of Compromise
- Unexpected JavaScript code or <script> tags within PQ Section Title widget configurations in the WordPress database
- Anomalous html_tag parameter values containing event handlers (onerror, onload, onclick) or script injections
- User reports of unexpected browser behavior, pop-ups, or redirects when viewing specific pages
- Database entries in the wp_postmeta table with suspicious Elementor widget data containing encoded or obfuscated script content
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in POST requests targeting Elementor widget endpoints
- Deploy integrity monitoring on WordPress database tables to alert on suspicious widget attribute modifications
- Configure SentinelOne Singularity Platform to monitor for anomalous JavaScript execution patterns and DOM manipulation indicative of XSS exploitation
- Perform regular security audits of contributor and author accounts to identify potentially compromised credentials
Monitoring Recommendations
- Enable detailed logging of WordPress post and page modifications, particularly for Elementor widget changes
- Monitor server access logs for repeated POST requests to wp-admin/admin-ajax.php with Elementor-related actions
- Configure browser Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Review WordPress user activity logs for contributors creating or editing content with Section Title widgets
How to Mitigate CVE-2026-1397
Immediate Actions Required
- Update the PQ Addons – Creative Elementor Widgets plugin to the latest patched version immediately
- Audit all existing pages and posts using the PQ Section Title widget for signs of injected malicious content
- Review and restrict contributor-level access to only trusted users until the patch is applied
- Implement a Web Application Firewall with XSS protection rules as an additional defense layer
Patch Information
Organizations should check the official WordPress plugin repository for updated versions of the PQ Addons – Creative Elementor Widgets plugin that address this vulnerability. Monitor the WordPress Plugin repository for patched releases. The Wordfence Vulnerability Analysis provides additional guidance on remediation.
Workarounds
- Temporarily deactivate the PQ Addons – Creative Elementor Widgets plugin until a patch is available if the plugin is not critical to site functionality
- Restrict contributor and author role capabilities using a role management plugin to prevent widget editing
- Implement strict Content Security Policy headers to mitigate the impact of any successfully injected scripts
- Manually validate and sanitize existing Section Title widget content in the database to remove any injected payloads
# WordPress CLI commands to identify potentially affected content
# List all posts/pages using Elementor
wp post list --post_type=page,post --meta_key=_elementor_edit_mode --meta_value=builder --format=table
# Search database for suspicious html_tag patterns (run with caution)
wp db query "SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key='_elementor_data' AND meta_value LIKE '%html_tag%script%'" --allow-root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
