Skip to main content
CVE Vulnerability Database

CVE-2026-4655: Element Pack Elementor XSS Vulnerability

CVE-2026-4655 is a stored cross-site scripting flaw in Element Pack Addons for Elementor that allows authenticated attackers to inject malicious JavaScript via SVG files. This article covers technical details and mitigation.

Updated:

CVE-2026-4655 Overview

CVE-2026-4655 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Element Pack Addons for Elementor plugin for WordPress. The flaw affects all versions up to and including 8.4.2. The render_svg() function in the SVG Image Widget fetches remote SVG content using wp_safe_remote_get() and echoes the response without sanitization or output escaping. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript through malicious SVG files. The injected script executes whenever a user views a page containing the affected widget.

Critical Impact

Authenticated contributors can persist JavaScript that runs in the browser of every visitor and administrator who views the affected page, enabling session theft, content manipulation, and account takeover.

Affected Products

  • Element Pack Addons for Elementor (bdthemes-element-pack-lite) — versions up to and including 8.4.2
  • WordPress sites running the vulnerable plugin with Contributor-or-higher user accounts
  • Pages rendered with the SVG Image Widget using remote SVG URLs

Discovery Timeline

  • 2026-04-08 - CVE-2026-4655 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-4655

Vulnerability Analysis

The vulnerability lives in the SVG Image Widget shipped by Element Pack Addons for Elementor. When a content editor configures the widget with a remote SVG URL, the plugin's render_svg() function retrieves the file using wp_safe_remote_get(). The retrieved markup is then printed directly into the page response. No DOM sanitization, attribute filtering, or HTML escaping is applied to the response body before output.

The only transformation performed is a preg_replace() call that injects attributes into the outer <svg> tag. This regex does not strip event handlers such as onload, onclick, or onmouseover, nor does it remove <script> elements embedded in the SVG. As a result, any JavaScript carried by the remote SVG is preserved and executed in the context of the WordPress site origin.

Root Cause

The root cause is insufficient input sanitization and missing output escaping on attacker-influenced HTML content. SVG is an XML dialect that supports inline scripting and event handler attributes, so SVG payloads must be sanitized with an allowlist-based parser before rendering. Trusting the response of wp_safe_remote_get() as safe markup, and emitting it directly through echo, violates standard WordPress output escaping practices.

Attack Vector

An authenticated attacker with at least Contributor privileges crafts or hosts an SVG containing JavaScript inside <script> tags or onload-style event handlers. The attacker creates or edits a post that uses the SVG Image Widget and points the widget's remote URL parameter to the malicious SVG. When any visitor, including administrators, loads the published page, the unsanitized SVG payload is fetched and inlined into the response. The browser parses the SVG, executes the embedded script under the site origin, and the attacker can hijack sessions, perform actions on behalf of the victim, or pivot to administrative takeover.

No verified exploit code is publicly indexed. See the Wordfence Vulnerability Report and the vulnerable render_svg implementation for technical details.

Detection Methods for CVE-2026-4655

Indicators of Compromise

  • SVG Image Widget instances configured with remote URLs pointing to external or untrusted domains
  • Outbound HTTP requests from the WordPress host to attacker-controlled SVG hosting infrastructure during page render
  • Response bodies containing <script> tags, onload=, onerror=, or javascript: URIs inside <svg> markup served from the WordPress site
  • Unexpected creation or modification of posts and widgets by Contributor-tier accounts referencing external .svg resources

Detection Strategies

  • Inspect the WordPress database (wp_postmeta and Elementor _elementor_data entries) for svg-image widget configurations referencing external URLs
  • Review web server access logs for requests to pages that contain the SVG Image Widget and correlate with browser-side script execution anomalies
  • Run a Content Security Policy (CSP) in report-only mode and monitor script-src violations originating from rendered post pages
  • Use static analysis or grep against the plugin source for the render_svg function and confirm the installed version is greater than 8.4.2

Monitoring Recommendations

  • Alert on new or modified posts by Contributor-level and Author-level accounts that include SVG Image Widget data
  • Monitor outbound network egress from the WordPress PHP worker to non-allowlisted domains during page rendering
  • Track administrative session anomalies, including unexpected wp-admin actions immediately following page views containing the widget

How to Mitigate CVE-2026-4655

Immediate Actions Required

  • Update the Element Pack Addons for Elementor plugin to a version released after 8.4.2 that addresses the unsanitized SVG output
  • Audit existing posts for SVG Image Widget instances using external URLs and remove or replace any referencing untrusted hosts
  • Restrict Contributor and Author role assignments to trusted users only, and review recent role changes
  • Rotate WordPress administrator credentials and invalidate active sessions if widget abuse is suspected

Patch Information

The vendor (bdthemes) addressed the issue in the plugin trunk. Review the WordPress Changeset Log for the upstream fix and apply the latest available release. Customers on managed WordPress platforms should confirm the patched version is deployed across all staging and production sites.

Workarounds

  • Disable the SVG Image Widget within Element Pack settings if the patched version cannot be applied immediately
  • Deploy a Web Application Firewall (WAF) rule that blocks responses containing <script> or event handler attributes inside SVG markup served from the site
  • Apply a strict Content Security Policy that disallows inline scripts (script-src 'self' without 'unsafe-inline') to limit XSS execution
  • Revoke Contributor and Author privileges from accounts that do not require content submission while the patch is being validated
bash
# Example: enforce a strict Content Security Policy via Apache to mitigate inline SVG XSS
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.