PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12141 leap13 CVE debrief

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend. The vulnerability has a CVSS score of 4.9 and a severity of MEDIUM. The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then.

Vendor
leap13
Product
Premium Addons for Elementor – Powerful Elementor Templates & Widgets
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Authenticated attackers with contributor-level access and above, as well as administrators and higher-privileged users who may be affected by the injected payload when opening the affected post in the Elementor editor.

Technical summary

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts. The injected payload is triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor.

Defensive priority

Medium

Recommended defensive actions

  • Inventory and verify installed plugin versions
  • Restrict contributor-level access and above
  • Implement a web application firewall
  • Regularly update and patch plugins
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then. The NVD entry is currently 4.9 MEDIUM. The vulnerability affects the Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress. The source of this information is the NVD entry for CVE-2026-12141.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then.