PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15299 wealcoder CVE debrief

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This vulnerability allows an attacker to inject malicious scripts into the affected page, potentially leading to unauthorized actions or data breaches. Users with Contributor-level access or above can exploit this vulnerability by submitting a crafted save_builder AJAX request. The plugin's failure to properly escape output in the Weather widget's render() function enables the stored payload to be executed on every frontend visit to the affected page.

Vendor
wealcoder
Product
Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the Animation Addons for Elementor plugin for WordPress, particularly those with Contributor-level access or above, should be aware of this vulnerability and take steps to mitigate it. This includes updating the plugin to version 2.6.4 or later, validating and sanitizing user input, and implementing output escaping for the Weather widget's render() function. Additionally, users should review compensating controls, monitor for exposed assets, and track exceptions to ensure the vulnerability is properly addressed.

Technical summary

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta.

Defensive priority

Medium

Recommended defensive actions

  • Update the Animation Addons for Elementor plugin to version 2.6.4 or later
  • Validate and sanitize user input for the Weather widget's 'weather_style' and 'move_direction' parameters
  • Implement output escaping for the Weather widget's render() function
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported by [email protected] and is documented in the CVE record and NVD entry. The reporter provided details on the insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246. The vulnerability allows an authenticated attacker with Contributor-level access or above to submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:33.257Z and has not been modified since then.