PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6565 analogwp CVE debrief

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the `/wp-json/agwp/v1/tokens/save` REST API endpoint. The vulnerability exists in the kit title parameter due to insufficient input sanitization and output escaping in an admin attribute context. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts that execute when users access injected pages. The vulnerability affects versions up to and including 2.5.0. The issue was disclosed on 2026-05-27 with a CVSS 3.1 score of 6.4 (Medium severity). A patch is available via changeset 3530172 in the WordPress plugin repository.

Vendor
analogwp
Product
Style Kits for Elementor
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using Style Kits plugin; security teams managing WordPress environments; developers maintaining Elementor-based sites with multi-user contributor access.

Technical summary

The vulnerability resides in the `/wp-json/agwp/v1/tokens/save` REST endpoint where the kit title parameter lacks proper sanitization. When processed in an admin attribute context, unescaped output allows script injection. The attack requires authenticated access at contributor level or above, making it exploitable by lower-privileged users who can create or edit style kits. The stored payload executes in the browser context of any user viewing the affected admin interface or rendered pages.

Defensive priority

medium

Recommended defensive actions

  • Update Style Kits plugin to version 2.5.1 or later
  • Review existing kit titles for suspicious script content
  • Implement Content Security Policy headers to mitigate XSS impact
  • Restrict contributor-level access where possible
  • Monitor REST API access logs for unusual `/wp-json/agwp/v1/tokens/save` requests

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository changeset. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27