CVE-2026-4790 Overview
CVE-2026-4790 is a Stored Cross-Site Scripting (XSS) vulnerability in the Premium Addons for Elementor WordPress plugin. The flaw affects all versions up to and including 4.11.70. Attackers exploit the custom_svg parameter, which lacks proper input sanitization and output escaping [CWE-79].
Authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript into pages. The injected scripts execute in the browsers of any visitors who view the affected pages. This enables session hijacking, credential theft, and unauthorized actions performed on behalf of victim users.
Critical Impact
Authenticated contributors can persist malicious JavaScript that executes against site visitors and administrators, enabling account takeover and content manipulation.
Affected Products
- Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress
- All versions up to and including 4.11.70
- WordPress sites running Elementor with this plugin enabled
Discovery Timeline
- 2026-05-02 - CVE-2026-4790 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-4790
Vulnerability Analysis
The vulnerability resides in how the plugin processes the custom_svg parameter when rendering widget content. The plugin accepts SVG input from users with contributor-level access and stores it without sufficient sanitization. When the page is later rendered, the stored payload is output without proper escaping, causing the browser to execute attacker-controlled scripts.
SVG documents support embedded JavaScript through <script> tags and event handlers such as onload and onerror. Without strict filtering, these vectors allow arbitrary script execution within the site's origin. The stored nature of the flaw means a single injection persists across page loads and affects every visitor.
The attack requires user interaction, as the payload triggers when a victim accesses the page containing the injected SVG. Because the scope changes on exploitation, the impact crosses authentication boundaries — a low-privileged contributor can attack high-privileged administrators.
Root Cause
The root cause is missing input sanitization on the custom_svg parameter and missing output escaping during page rendering. The plugin trusts contributor-supplied SVG markup and emits it directly into the HTML response. Refer to the WordPress Plugin Changeset for the specific code paths fixed in the patch.
Attack Vector
An authenticated attacker with contributor or higher privileges crafts a malicious SVG payload containing JavaScript. The attacker submits the payload through the plugin's widget interface using the custom_svg parameter. The payload persists in the WordPress database and executes whenever any user — including administrators — loads the affected page. See the Wordfence Vulnerability Report for additional analysis.
Detection Methods for CVE-2026-4790
Indicators of Compromise
- Unexpected <script> tags or event handler attributes (onload, onerror, onclick) inside SVG content stored in wp_postmeta or wp_posts tables
- Outbound requests from visitor browsers to unfamiliar domains shortly after loading pages containing Premium Addons widgets
- New or modified administrator accounts created shortly after contributor-level activity
- Unusual custom_svg parameter values in WordPress access logs containing JavaScript keywords
Detection Strategies
- Audit WordPress posts and postmeta for SVG content containing executable script tags or JavaScript event handlers
- Review user role assignments and recent contributor activity for suspicious page edits
- Monitor web server logs for POST requests to admin-ajax.php or Elementor editor endpoints with SVG payloads
- Deploy a Web Application Firewall ruleset that flags SVG uploads containing <script> or javascript: references
Monitoring Recommendations
- Enable WordPress audit logging to capture all post and widget modifications by contributor-level accounts
- Forward web server and application logs to a centralized SIEM for correlation across user sessions
- Set alerts for changes to user roles, new administrator creation, and plugin file modifications
How to Mitigate CVE-2026-4790
Immediate Actions Required
- Update the Premium Addons for Elementor plugin to a version newer than 4.11.70 immediately
- Audit all contributor and author accounts and remove any unnecessary or suspicious accounts
- Review recently published or modified pages for injected SVG content and remove malicious payloads
- Force password resets for all administrative users if exploitation is suspected
Patch Information
The vendor addressed the vulnerability in the changeset published at WordPress Plugin Changeset 3495451. Site administrators should upgrade through the WordPress plugin dashboard or by replacing the plugin files manually. Verify the installed version is greater than 4.11.70 after applying the update.
Workarounds
- Restrict contributor and author roles to trusted users only until the patch is applied
- Disable the Premium Addons for Elementor plugin if an immediate update is not feasible
- Configure a Web Application Firewall to block SVG uploads containing <script> tags or JavaScript event handlers
- Apply Content Security Policy (CSP) headers that restrict inline script execution on front-end pages
# Check installed plugin version via WP-CLI
wp plugin get premium-addons-for-elementor --field=version
# Update the plugin to the latest patched release
wp plugin update premium-addons-for-elementor
# Temporarily deactivate if patching is delayed
wp plugin deactivate premium-addons-for-elementor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
