CVE-2026-39702
DOM-Based XSS in Animation Addons for Elementor
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wealcoder | animation_addons_for_elementor | to 2.6.1 (inc) |
| wealcoder | animation_addons_for_elementor | From 2.6.1|end_including=2.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39702 is a Cross Site Scripting (XSS) vulnerability found in the WordPress plugin "Animation Addons for Elementor" versions up to and including 2.6.1.
This vulnerability allows attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the affected website.
Exploitation requires a user with at least Contributor or Developer privileges to interact with a crafted link, page, or form, meaning user interaction is necessary.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of malicious scripts on your website, potentially causing unwanted redirects, displaying unauthorized advertisements, or other harmful HTML payloads.
Since exploitation requires user interaction from someone with Contributor or Developer privileges, the risk is somewhat limited but still significant.
Although the impact is considered low severity and unlikely to be widely exploited, it can be used in mass-exploit campaigns targeting many websites.
Currently, no official patch is available, so mitigation involves updating the plugin once a fix is released or seeking help from hosting providers or web developers to implement protective measures.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the Animation Addons for Elementor plugin, which requires user interaction such as clicking a malicious link or submitting a form to be exploited.
There are no specific detection commands or network/system scanning instructions provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include monitoring for updates and applying the plugin update once a patched version is released.
In the meantime, seek assistance from hosting providers or web developers to implement protective measures to reduce the risk of exploitation.