CVE-2026-8677

Name of the Vulnerable Software and Affected Versions Prime Elementor Addons versions prior to 1.3.4

Description Insufficient input sanitization and output escaping in the Widget HTML Tag Settings allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This occurs because payloads without HTML angle brackets, such as img src=x onerror=alert(document.domain), bypass the wp kses post() filter, enabling the injection of arbitrary web scripts that execute when a user visits the affected page.

Recommendations Update to a version newer than 1.3.3.