Security Alert Summary
The Xpro Addons – 140+ Widgets for Elementor plugin for WordPress is affected by a stored Cross-Site Scripting (XSS) vulnerability in the Icon Box widget. Authenticated users with contributor-level access or higher can inject scripts that will execute when an injected page is viewed, due to insufficient input sanitization and output escaping.
CVE Details
- CVE ID:
CVE-2026-2949 - Affected component: Xpro Addons – 140+ Widgets for Elementor plugin (Icon Box widget)
- Affected versions: Versions up to and including 1.4.24
- Published: April 4, 2026 at 4:17:14 AM UTC
- Last modified: April 4, 2026 at 4:17:14 AM UTC
- CVSS v3.1 base score: 6.4 (MEDIUM)
- CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Requires an authenticated attacker with contributor-level access or higher. CVSS privileges required: LOW. User interaction: NONE.
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE.
- Weakness: CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
This vulnerability is a stored Cross-Site Scripting (XSS) issue that exists because the Icon Box widget does not sufficiently sanitize user-supplied input and does not properly escape output before rendering on pages. Malicious input submitted by an authenticated user with contributor-level privileges or higher can be stored by the plugin and later served to other users without adequate encoding, allowing injected script code to run in the context of a visitor’s browser.
The description identifies the Icon Box widget as the affected component. Because the problem is insufficient input sanitization and output escaping, the risk arises when content entered through the widget is saved and later rendered on a page viewed by other users. The impact is limited to the confidentiality and integrity of data exposed or modified in the context of rendered pages; availability is not indicated as affected.
How This Could Impact Your Website
Consider a typical WordPress site where the site owner assigns editing tasks to internal staff and external contributors. A contributor or contractor with access to the Elementor Icon Box widget could submit malicious script in a widget field. When internal staff, administrators, or site visitors view the page containing the injected widget, the script could execute in their browsers.
Practical consequences include exposure of information visible to the page viewer (for example, stored user profile data or emails accessible in the page context), and an increased risk of targeted phishing or social engineering against staff or users who view the infected pages. The integrity of page content could also be affected if injected scripts modify how content is displayed to visitors. Availability is not indicated as impacted by this vulnerability.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior or unexpected content changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
