CVE-2026-6127

Name of the Vulnerable Software and Affected Versions Elementor Website Builder versions prior to 4.0.5

Description Insufficient input sanitization in the processing of form-encoded REST API requests allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. The plugin registers the elementor data meta field with show in rest but lacks a sanitize callback. It relies on a rest pre insert post filter via the sanitize post data() function, which only sanitizes JSON-encoded request bodies. When a form-encoded PATCH request is sent to the WordPress REST API, the json decode() call returns null, bypassing all sanitization. The unsanitized data is stored using update post meta() and subsequently output without escaping through various widget sinks, including the HTML widget's print unescaped setting() function, enabling the execution of arbitrary web scripts when a user accesses the affected page.

Recommendations Update to a version newer than 4.0.4.