We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

aThemes Addons for Elementor Plugin Vulnerability (CVE-2026-8613)

Nick Paliughi
On this page

Security Alert Summary

The aThemes Addons for Elementor plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in the widget “title_tag” setting. Authenticated users with contributor-level access or higher can inject arbitrary scripts into pages using the Posts Timeline and Posts Carousel widgets (default, Banner, and Modern skins). Injected scripts execute when a user views an affected page due to insufficient input sanitization and output escaping.

CVE Details

  • CVE ID: CVE-2026-8613
  • Affected component: aThemes Addons for Elementor plugin for WordPress
  • Affected versions: All versions up to and including 1.1.8
  • Published: June 10, 2026 at 8:16:25 AM UTC
  • Last modified: June 10, 2026 at 8:16:25 AM UTC
  • CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User interaction: Authentication required; privileges required: Low (authenticated attacker with contributor-level access or above); user interaction: None
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This vulnerability is a stored Cross-Site Scripting issue caused by insufficient input sanitization and missing output escaping for the widget setting named “title_tag”. The flaw exists in the Posts Timeline widget and the Posts Carousel widget (including the default, Banner, and Modern skins), which omit the whitelist validation that is applied correctly in the Posts List widget. Because the plugin stores attacker-supplied input and later renders it in page output without proper sanitization/escaping, an authenticated low-privilege user can inject HTML or script content that will be served to and executed by other users viewing the page.

Impact: injected scripts execute in the context of the site page when visited. This can lead to theft of session data or other data accessible in the page context, manipulation of rendered content, or other actions that rely on executing JavaScript in a victim’s browser. The CVSS metrics indicate limited confidentiality and integrity impact and no availability impact for this vulnerability.

How This Could Impact Your Website

Imagine a scenario where a contributor or external contractor with permission to create or edit posts uses the Posts Carousel or Posts Timeline widgets to add content to a public page. Because the plugin does not properly sanitize the “title_tag” setting for certain widget skins, that contributor could insert a script that runs when other staff or site visitors load the page. Site owners and internal staff who view the page could have values available to the page (for example, session tokens visible to client-side scripts) exposed to the injected script, and internal user email addresses or other data shown on the page could be harvested.

Practical consequences include exposure of internal user email addresses and an increased risk of targeted phishing or social engineering against staff or contributors who access affected pages. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, such as unexpected content changes in widgets or new post entries from low-privilege accounts.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Easy Image Collage Plugin Vulnerability (CVE-2026-9019)
Next Post
UpdraftPlus: WP Backup & Migration Plugin Vulnerability (CVE-2026-10795)