PatchSiren cyber security CVE debrief
CVE-2026-12141 leap13 CVE debrief
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend. The vulnerability has a CVSS score of 4.9 and a severity of MEDIUM. The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then.
- Vendor
- leap13
- Product
- Premium Addons for Elementor – Powerful Elementor Templates & Widgets
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Authenticated attackers with contributor-level access and above, as well as administrators and higher-privileged users who may be affected by the injected payload when opening the affected post in the Elementor editor.
Technical summary
The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts. The injected payload is triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor.
Defensive priority
Medium
Recommended defensive actions
- Inventory and verify installed plugin versions
- Restrict contributor-level access and above
- Implement a web application firewall
- Regularly update and patch plugins
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then. The NVD entry is currently 4.9 MEDIUM. The vulnerability affects the Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress. The source of this information is the NVD entry for CVE-2026-12141.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:32.000Z and has not been modified since then.