CVE-2026-6127

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementor data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the elementor data meta field with show in rest but omits a sanitize callback, relying instead on a rest pre insert post filter (sanitize post data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update post meta() and later output without escaping through multiple widget sinks including the HTML widget's print unescaped setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.