The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Project Subscriptions

Vendors Products
Wordpress Subscribe
Wordpress Subscribe
Wpdevteam Subscribe
Essential Addons For Elementor – Popular Elementor Templates & Widgets Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 08 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor – Popular Elementor Templates & Widgets

Wed, 08 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Description The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Essential Addons for Elementor <= 6.6.2 - Authenticated (Author+) Stored Cross-Site Scripting via Event Calendar Widget Popup
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-08T14:11:23.298Z

Reserved: 2026-04-16T23:08:24.493Z

Link: CVE-2026-6459

cve-icon Vulnrichment

Updated: 2026-07-08T14:11:19.958Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T14:45:03Z

Weaknesses