CVE-2026-4655 Overview
CVE-2026-4655 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Element Pack Addons for Elementor plugin for WordPress. The vulnerability exists in the SVG Image Widget component in versions up to and including 8.4.2. Due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs, authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript code that executes whenever users access pages containing the malicious widget.
Critical Impact
Authenticated attackers can persistently inject malicious JavaScript via SVG files, enabling session hijacking, credential theft, and defacement of WordPress sites using the vulnerable plugin.
Affected Products
- Element Pack Addons for Elementor (bdthemes-element-pack-lite) versions up to and including 8.4.2
- WordPress installations utilizing the SVG Image Widget feature
- Sites allowing Contributor-level or higher user access
Discovery Timeline
- 2026-04-08 - CVE-2026-4655 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-4655
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in the render_svg() function within the SVG Image Widget module. When processing SVG content from remote URLs, the function uses wp_safe_remote_get() to fetch the SVG data but then directly echoes it to the page without proper sanitization.
The only processing applied to the SVG content is a preg_replace() operation intended to add attributes to the SVG tag. However, this regex manipulation does not remove or neutralize malicious event handlers or script elements that may be embedded within the SVG content. This oversight allows attackers to craft SVG files containing JavaScript payloads that execute in the context of the victim's browser session.
Root Cause
The root cause is the lack of proper input sanitization when handling SVG content from external sources. The render_svg() function trusts that SVG content retrieved via wp_safe_remote_get() is safe, which is an incorrect assumption. While wp_safe_remote_get() validates the URL and prevents certain types of Server-Side Request Forgery attacks, it does not sanitize the content of the response. The absence of functions like wp_kses() or dedicated SVG sanitization libraries allows malicious SVG attributes and elements to pass through unfiltered.
Attack Vector
The attack requires authenticated access at the Contributor level or above. An attacker can create or edit a page using the Elementor editor and add an SVG Image Widget configured to load an SVG file from a URL under their control. The malicious SVG file can contain JavaScript event handlers (such as onload, onclick, or onerror) or embedded <script> tags. When any user—including administrators—views the page, the malicious JavaScript executes in their browser context, potentially leading to session hijacking, privilege escalation, or further site compromise.
The vulnerability is exploited through the widget's remote URL fetching capability. The render_svg() function fetches SVG content and outputs it directly to the page. Since no sanitization removes dangerous attributes like onload="javascript:alert(1)" or script tags, the browser interprets and executes the malicious code as part of the legitimate page content.
Detection Methods for CVE-2026-4655
Indicators of Compromise
- Unusual SVG Image Widget configurations pointing to external URLs not controlled by the organization
- SVG files containing JavaScript event handlers (onload, onclick, onerror, onmouseover, etc.)
- Pages with embedded script execution originating from SVG content
- Contributor or higher-level accounts creating pages with remote SVG references unexpectedly
Detection Strategies
- Review WordPress page content for SVG Image Widgets referencing external URLs
- Implement Content Security Policy (CSP) headers to detect and block inline script execution from untrusted sources
- Monitor web application firewall (WAF) logs for XSS patterns in requests involving SVG content
- Audit user activity logs for suspicious page creation or editing by Contributor-level accounts
Monitoring Recommendations
- Enable detailed logging for WordPress page edits and widget configurations
- Configure SentinelOne to monitor for anomalous JavaScript execution patterns within WordPress installations
- Set up alerts for outbound requests to unusual domains from the WordPress server
- Regularly scan stored content for known XSS patterns and malicious SVG attributes
How to Mitigate CVE-2026-4655
Immediate Actions Required
- Update Element Pack Addons for Elementor to a version newer than 8.4.2 that addresses this vulnerability
- Review existing pages for SVG Image Widgets configured with external URLs and remove or replace suspicious configurations
- Restrict Contributor-level access to trusted users only until patching is complete
- Implement a Web Application Firewall (WAF) rule to block SVG content containing JavaScript event handlers
Patch Information
A patch is available through the WordPress plugin repository. Refer to the WordPress Changeset Information for details on the security fix. Additional technical analysis is available in the Wordfence Vulnerability Report. The vulnerable code can be reviewed in the WordPress SVG Image Widget Code.
Workarounds
- Disable the SVG Image Widget functionality by removing or deactivating the relevant module until patching
- Implement server-side SVG sanitization using libraries like DOMPurify or similar before content is rendered
- Configure WordPress to disallow remote URL references in the SVG Image Widget settings
- Restrict user roles to prevent Contributor-level accounts from using the SVG Image Widget
# Example: Disabling the module via wp-cli (if supported by the plugin)
wp option update element_pack_active_modules --format=json '{"svg-image": false}'
# Alternative: Add to wp-config.php or a must-use plugin to block remote SVG fetching
# define('DISABLE_REMOTE_SVG_WIDGETS', true);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
