CVE-2026-8677: Prime Elementor Addons XSS Vulnerability

CVE-2026-8677 Overview

CVE-2026-8677 is a Stored Cross-Site Scripting (XSS) vulnerability in the Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress. The flaw affects all versions up to and including 1.3.3 and stems from insufficient input sanitization and output escaping on Widget HTML Tag Settings. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript that executes when any user views the affected page. The vulnerability bypasses Elementor's wp_kses_post() filter because payloads such as img src=x onerror=alert(document.domain) contain no HTML angle brackets, allowing them to pass through unchanged at save time. The issue is tracked under [CWE-79].

Critical Impact
Contributor-level users can persist JavaScript payloads that execute in the browser of any visitor or administrator viewing the page, enabling session theft, account takeover, and content manipulation.

Affected Products

Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages (slug: unlimited-elementor-inner-sections-by-boomdevs)
All plugin versions up to and including 1.3.3
WordPress installations running the affected plugin with contributor-level (or higher) user accounts

Discovery Timeline

2026-06-09 - CVE-2026-8677 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-8677

Vulnerability Analysis

The plugin permits user-controlled values to populate widget HTML tag attributes without applying contextual output escaping. While Elementor applies wp_kses_post() to filter dangerous HTML at save time, this function only strips disallowed tags and attributes when angle brackets are present. Payloads supplied directly into attribute contexts, such as img src=x onerror=alert(document.domain), contain no angle brackets and bypass the filter entirely. When the widget renders, the attacker-controlled string is concatenated into HTML markup, producing an active <img> element with an executable onerror handler.

Root Cause

The root cause is missing context-aware escaping in widget rendering code paths. Multiple widget files including PostGridRenderer.php, AdvancedAccordion.php, CallToAction.php, Counter.php, InfoBox.php, and TeamMember.php insert tag-setting values into output HTML without applying esc_attr() or esc_html(). The reliance on wp_kses_post() as a single sanitization barrier is insufficient because that function does not normalize attribute-only injections.

Attack Vector

An authenticated attacker with contributor-level privileges edits a page or post, adds an affected widget, and supplies a crafted value in the HTML Tag setting. The payload is stored in the database and executes whenever the page is rendered in any viewer's browser. The scope is changed (S:C), meaning script execution affects resources beyond the vulnerable component, including the WordPress administrative session of any logged-in viewer.

The vulnerability is described in the Wordfence Vulnerability Report and source-level references are available via the WordPress Plugin Trac.

Detection Methods for CVE-2026-8677

Indicators of Compromise

Page or post content containing attribute-only event handlers such as onerror=, onload=, onmouseover=, or onfocus= within widget configuration fields.
Unexpected <script> execution or external script loads originating from pages rendered by the Prime Elementor Addons plugin.
Database postmeta entries with Elementor widget data containing JavaScript event attributes in html_tag or related settings.
Outbound requests from administrator browsers to attacker-controlled domains after visiting plugin-rendered pages.

Detection Strategies

Inspect wp_postmeta rows where meta_key = '_elementor_data' for serialized widget settings containing event handler attributes or unexpected JavaScript keywords.
Deploy Content Security Policy (CSP) headers in report-only mode to surface inline script execution from previously trusted pages.
Monitor WordPress audit logs for contributor or author accounts editing pages immediately followed by anomalous administrator activity.

Monitoring Recommendations

Enable a Web Application Firewall (WAF) with WordPress XSS rule sets covering attribute-only injection patterns.
Track plugin version inventory across all WordPress sites and alert on installations running 1.3.3 or earlier.
Review user role assignments and flag any non-administrator accounts elevated to contributor or above.

How to Mitigate CVE-2026-8677

Immediate Actions Required

Update the Prime Elementor Addons plugin to version 1.3.4 or later on all WordPress instances.
Audit existing pages and widgets created by contributor-level users for stored payloads.
Review and reduce contributor-level account assignments where they are not strictly required.

Patch Information

The vendor released a fix in version 1.3.4. The corresponding code changes are visible in the WordPress Plugin Change Log. Site administrators should upgrade immediately through the WordPress plugin updater or by manually replacing plugin files.

Workarounds

Deactivate the Prime Elementor Addons plugin until the update to 1.3.4 is applied.
Restrict page and post editing to trusted administrator or editor roles by removing publishing capabilities from contributor accounts.
Enforce a strict Content Security Policy that disallows inline event handlers and untrusted script sources.
Apply WAF rules that block attribute-context payloads such as onerror=, onload=, and javascript: in POST request bodies to admin-ajax.php and post.php.

bash

# Configuration example: WP-CLI commands to verify and update the plugin
wp plugin get unlimited-elementor-inner-sections-by-boomdevs --field=version
wp plugin update unlimited-elementor-inner-sections-by-boomdevs --version=1.3.4
wp plugin list --status=active --format=table | grep boomdevs