CVE-2026-4655

Name of the Vulnerable Software and Affected Versions The Element Pack Addons for Elementor plugin for WordPress versions up to and including 8.4.2

Description The Element Pack Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through the SVG Image Widget. This is a result of inadequate input sanitization and output escaping of SVG content retrieved from remote URLs within the render svg() function. The function uses wp safe remote get() to fetch SVG content and then directly outputs it without proper sanitization, only applying a preg replace() to modify the SVG tag, which does not eliminate malicious event handlers. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into SVG files, which will execute when a user views a page containing the compromised widget.

Recommendations For versions up to and including 8.4.2, update to a newer version that addresses this issue. As a temporary workaround, avoid using the SVG Image Widget with remote URLs.