{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4655", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-23T15:02:38.592Z", "datePublished": "2026-04-08T07:43:00.898Z", "dateUpdated": "2026-04-08T16:34:12.756Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:12.756Z"}, "affected": [{"vendor": "bdthemes", "product": "Element Pack \u2013 Widgets, Templates & Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget."}], "title": "Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0838f085-8ff7-4c6a-bd5b-af99f666377b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1028"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1028"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494214%40bdthemes-element-pack-lite&new=3494214%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2026-03-23T15:17:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T19:36:01.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:47:21.778238Z", "id": "CVE-2026-4655", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:13:47.385Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:47:21.778238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:47:22.770Z"}}], "cna": {"title": "Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "Element Pack \u2013 Widgets, Templates & Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T15:17:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T19:36:01.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0838f085-8ff7-4c6a-bd5b-af99f666377b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1028"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1028"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494214%40bdthemes-element-pack-lite&new=3494214%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T07:43:00.898Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4655", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:13:47.385Z", "dateReserved": "2026-03-23T15:02:38.592Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T07:43:00.898Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page containing the malicious widget."}], "id": "CVE-2026-4655", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T08:16:24.407", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1028"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/8.4.2/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1028"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L1063-L1129"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/svg-image/widgets/svg-image.php#L989-L1033"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3494214%40bdthemes-element-pack-lite&new=3494214%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0838f085-8ff7-4c6a-bd5b-af99f666377b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.4.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Element Pack \u2013 Widgets, Templates & Addons for Elementor", "source": "cna", "vendor": "bdthemes"}, "product": "element_pack_\u2013_widgets,_templates_&_addons_for_elementor", "vendor": "bdthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:39:14.761335+00:00", "value": {"mitigation_remediation": ["Upgrade the Element Pack plugin to version 8.4.3 or later.", "If an immediate upgrade is not possible, remove or disable the SVG Image Widget for all contributors.", "Restrict Contributor users from adding widgets that handle external SVG files.", "Verify that any externally loaded SVG content is sanitized before rendering."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running bdthemes Element Pack \u2013 Widgets, Templates & Addons for Elementor version 8.4.2 or earlier are vulnerable. The issue exists in the SVG Image Widget module and affects all deployments that provide Contributor or higher role access.", "description_and_impact": "The plugin\u2019s SVG Image Widget fetches external SVG files and echoes their content directly. Because it only adds attributes and does not strip malicious event handlers, a Contributor\u2011level user can upload or reference a crafted SVG containing JavaScript. When any visitor views the page with the widget, the script runs in that visitor\u2019s browser, giving the attacker the ability to steal session cookies, deface content, or execute further attacks within the site context.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires possession of Contributor or higher privileges to inject the malicious SVG, but the impact is achieved on any user who views the affected page, meaning it can affect all authenticated or anonymous visitors depending on the widget\u2019s placement."}}}}, "created": "2026-04-08T19:30:57.734132+00:00", "updated": "2026-04-08T19:43:29.297630+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$element_pack_\u2013_widgets,_templates_&_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}