CVE-2026-6127
Received Received - Intake
Stored Cross-Site Scripting in Elementor Website Builder for WordPress

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: Wordfence

Description
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6127
EUVD
EUVD-2026-26479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elementor website_builder to 4.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Elementor Website Builder plugin for WordPress, specifically versions up to and including 4.0.4. It is a Stored Cross-Site Scripting (XSS) issue that arises because the plugin does not properly sanitize input when processing form-encoded REST API requests.

The plugin registers a meta field called _elementor_data with the REST API but fails to provide a sanitize callback for it. Instead, it relies on a filter that sanitizes only JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request, the sanitization is skipped because the JSON decoding fails, allowing unsanitized data to be stored.

This unsanitized data is then output without escaping in various widget areas, including the HTML widget, enabling an attacker with contributor-level access or higher to inject malicious scripts that execute when users view the affected pages.

Impact Analysis

This vulnerability can allow an authenticated attacker with contributor-level access or higher to inject arbitrary malicious scripts into pages built with the Elementor plugin.

These scripts execute in the browsers of users who visit the infected pages, potentially leading to theft of sensitive information, session hijacking, defacement, or distribution of malware.

Because the vulnerability requires contributor-level access, it may be exploited by insiders or compromised accounts, increasing the risk of persistent and hard-to-detect attacks.

Compliance Impact

The vulnerability allows authenticated contributors to inject arbitrary web scripts via stored cross-site scripting (XSS) in the Elementor Website Builder plugin. This can lead to unauthorized script execution when users access affected pages.

Such unauthorized script execution can potentially lead to data exposure or manipulation, which may impact the confidentiality and integrity of user data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized data access or manipulation can pose risks to compliance with these regulations, which require protection of personal and sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart