CVE-2026-1397
Received Received - Intake
Stored XSS in PQ Addons Elementor Widget Allows Script Injection

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1397
EUVD
EUVD-2026-14153
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pq_addons creative_elementor_widgets to 1.0.0 (inc)
peacefulqode peacefulqode-elementzplus-widgets to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The PQ Addons – Creative Elementor Widgets plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.0.0. This vulnerability arises because the plugin does not properly sanitize and escape input on the html_tag parameter in the PQ Section Title widget.

Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting malicious web scripts into widget attributes. These scripts then execute whenever any user accesses the page containing the injected widget.

Impact Analysis

This vulnerability allows an attacker with contributor-level access to inject arbitrary scripts into pages on your WordPress site. These scripts can execute in the browsers of users who visit the affected pages.

  • It can lead to theft of user credentials or session cookies.
  • It can enable unauthorized actions on behalf of users.
  • It can cause defacement or manipulation of website content.
  • It may damage user trust and site reputation.
Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) via the html_tag parameter in the PQ Section Title widget of the PQ Addons – Creative Elementor Widgets WordPress plugin. Detection typically involves identifying injected malicious scripts in pages rendered by this widget.

Since the vulnerability requires authenticated contributor-level access or higher to inject scripts, detection can include reviewing recent changes or content additions by such users for suspicious HTML or JavaScript code within widget attributes.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

To mitigate this Stored Cross-Site Scripting vulnerability, immediate steps include restricting contributor-level and higher user permissions to trusted users only, as these roles can inject malicious scripts via the vulnerable widget.

Additionally, updating the PQ Addons – Creative Elementor Widgets plugin to a version that properly sanitizes and escapes the html_tag parameter in the PQ Section Title widget is recommended once a fixed version is available.

As a temporary measure, disabling or removing the vulnerable widget from your WordPress site can prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart