CVE-2026-1397
Stored XSS in PQ Addons Elementor Widget Allows Script Injection
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pq_addons | creative_elementor_widgets | to 1.0.0 (inc) |
| peacefulqode | peacefulqode-elementzplus-widgets | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PQ Addons β Creative Elementor Widgets plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.0.0. This vulnerability arises because the plugin does not properly sanitize and escape input on the html_tag parameter in the PQ Section Title widget.
Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting malicious web scripts into widget attributes. These scripts then execute whenever any user accesses the page containing the injected widget.
How can this vulnerability impact me? :
This vulnerability allows an attacker with contributor-level access to inject arbitrary scripts into pages on your WordPress site. These scripts can execute in the browsers of users who visit the affected pages.
- It can lead to theft of user credentials or session cookies.
- It can enable unauthorized actions on behalf of users.
- It can cause defacement or manipulation of website content.
- It may damage user trust and site reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via the html_tag parameter in the PQ Section Title widget of the PQ Addons β Creative Elementor Widgets WordPress plugin. Detection typically involves identifying injected malicious scripts in pages rendered by this widget.
Since the vulnerability requires authenticated contributor-level access or higher to inject scripts, detection can include reviewing recent changes or content additions by such users for suspicious HTML or JavaScript code within widget attributes.
There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this Stored Cross-Site Scripting vulnerability, immediate steps include restricting contributor-level and higher user permissions to trusted users only, as these roles can inject malicious scripts via the vulnerable widget.
Additionally, updating the PQ Addons β Creative Elementor Widgets plugin to a version that properly sanitizes and escapes the html_tag parameter in the PQ Section Title widget is recommended once a fixed version is available.
As a temporary measure, disabling or removing the vulnerable widget from your WordPress site can prevent exploitation.