PatchSiren cyber security CVE debrief
CVE-2026-11390 blazethemes CVE debrief
The News Kit Addons For Elementor plugin for WordPress has a Stored Cross-Site Scripting vulnerability via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6. This is due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages that execute when a user accesses an injected page.
- Vendor
- blazethemes
- Product
- News Kit Addons For Elementor
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of News Kit Addons For Elementor plugin for WordPress, especially those with contributor-level access and above, should be aware of this vulnerability and take immediate action to protect their sites.
Technical summary
The vulnerability exists in the News Kit Addons For Elementor plugin for WordPress, specifically in the Site Logo Title and Single Author Box Widgets. The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts. These scripts can be executed when a user accesses an injected page. Exploitation requires an attacker to intercept and modify the elementor_ajax AJAX save request to bypass client-side SELECT control restrictions and submit arbitrary tag-name values.
Defensive priority
Medium priority due to the requirement for contributor-level access and the need for exploitation via AJAX request modification.
Recommended defensive actions
- Update News Kit Addons For Elementor plugin to a version beyond 1.4.6.
- Restrict contributor-level access and above to trusted users.
- Monitor for suspicious AJAX requests to elementor_ajax.
- Implement additional input validation and output encoding for Site Logo Title and Single Author Box Widgets.
- Perform regular security audits to identify potential vulnerabilities.
- Review and update access controls for WordPress installations.
- Track and verify updates to the News Kit Addons For Elementor plugin.
Evidence notes
Evidence from the NVD and Wordfence indicates a Stored Cross-Site Scripting vulnerability in News Kit Addons For Elementor plugin versions up to 1.4.6. The CVE record and NVD detail provide official confirmation of the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T02:16:52.280Z and has not been modified since then.