CVE-2026-22518
DOM-Based XSS in pencilwp X Addons for Elementor
Publication date: 2026-01-08
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pencilwp | x_addons_for_elementor | From 1.0.0 (inc) to 1.0.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22518 is a Cross Site Scripting (XSS) vulnerability in the WordPress plugin 'X Addons for Elementor' up to version 1.0.23. It is a DOM-Based XSS issue where an attacker can inject malicious scripts into web pages generated by the plugin. Exploitation requires a user with Contributor or Developer privileges to interact with crafted content such as clicking a malicious link or submitting a form. When exploited, the malicious scripts can execute in the browsers of site visitors, potentially causing redirects, displaying unwanted advertisements, or other harmful actions. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject and execute malicious scripts on your website, which can lead to unauthorized actions such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive information from users. However, exploitation requires user interaction from someone with Contributor or Developer privileges, which limits the likelihood and impact. The CVSS score of 6.5 indicates a moderate risk level. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious user interactions such as clicks on malicious links, visits to crafted pages, or form submissions by users with Contributor or Developer privileges. Since it is a DOM-Based XSS, you can look for unusual script injections or unexpected HTML payloads executing in the browser context. Specific commands are not provided in the resources, but general approaches include using web application scanners that detect XSS vulnerabilities, reviewing web server logs for suspicious URLs or parameters, and employing browser developer tools to inspect DOM changes during user interactions. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting user roles to limit Contributor or Developer privileges to trusted users only, educating users about the risks of clicking unknown links or submitting untrusted forms, and using web application firewalls or security plugins that can block malicious scripts. Since no official patch or fix is currently available, relying on Patchstack's mitigation services or other security layers is recommended until a patch is released. [1]