CVE-2026-57620 in Exclusive Addons Elementor Plugin

Scope: Exclusive Addons Elementor: from n/a through 2.7.9.8.

Severity: High

The vulnerability under analysis represents a critical cross-site scripting flaw classified as CWE-79 in the Common Weakness Enumeration catalog, specifically manifesting as a stored XSS vulnerability within the Tim Strifler Exclusive Addons Elementor plugin. This security weakness permits malicious actors to inject persistent script code into web pages that are subsequently served to other users, creating a persistent threat vector that can compromise user sessions and data integrity.

The technical exploitation occurs through improper input sanitization during the web page generation process within the Elementor page builder environment. When users create or edit content using the Exclusive Addons Elementor plugin, the system fails to adequately neutralize user-supplied input before rendering it in the generated HTML output. This deficiency allows attackers to embed malicious JavaScript code within plugin parameters or content fields that persist in the database and execute whenever the affected page is accessed by other users.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, deface websites, steal user credentials, or redirect victims to malicious domains. The stored nature of the vulnerability means that once exploited, the malicious payload remains active until manually removed from the database, providing attackers with sustained access to compromised systems. This particular weakness affects all versions of the Exclusive Addons Elementor plugin from the initial release through version 2.7.9.8, indicating a long-standing issue that has not been adequately addressed.

The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious content and can be leveraged for privilege escalation through session manipulation. Security professionals should note that Elementor is widely used across WordPress environments, amplifying the potential attack surface and impact of this vulnerability. The flaw demonstrates poor input validation practices in web application development, where user-supplied data should always be properly escaped or encoded before being rendered in HTML contexts to prevent script injection attacks.

The Uganda National CERT and Coordination Center (CERT.UG/CC) advises that mitigation strategies should include immediate patching of affected versions to the latest stable release, implementing comprehensive input sanitization measures, and deploying web application firewalls with XSS detection capabilities.

RELATED ADVISORIES

Advisories 26 June 2026

Flowise – Authentication Bypass via Registration Endpoint (CVE-2025-71327)

Scope: Flowise, All Versions Lacking Registration Restrictions

Severity: Critical

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API access without credentials.

parse-server – Supply Chain Incident (CVE-2021-47987)

Advisories 26 June 2026

WSO2 API Manager – Server-Side Request Forgery (CVE-2026-2053)

Advisories 26 June 2026

n8n – Credential Vault Exfiltration via Endpoint Abuse (CVE-2026-56348)

Advisories 24 June 2026

Claude Code – Indirect Prompt Injection and WebFetch Data Exfiltration (CVE-2026-54316)

Advisories 24 June 2026

vLLM – Authentication Bypass via Host Header Manipulation (CVE-2026-48746)

Advisories 24 June 2026

ManageEngine Products – Predictable SSO Ticket Generation / Account Takeover (CVE-2026-11374)

Advisories 24 June 2026