PatchSiren cyber security CVE debrief
CVE-2026-6459 wpdevteam CVE debrief
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM. Users should review their installations and ensure they are running version 6.6.3 or later.
- Vendor
- wpdevteam
- Product
- Essential Addons for Elementor – Popular Elementor Templates & Widgets
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Users of the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress, particularly those with Author-level access and above, should review their installations and ensure they are running version 6.6.3 or later. Additionally, security teams and vulnerability management teams should be aware of the vulnerability and its potential impact.
Technical summary
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget. The vulnerability exists due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts. The vulnerability has a CVSS score of 6.4 and a severity of MEDIUM.
Defensive priority
Medium
Recommended defensive actions
- Apply the latest patch (6.6.3 or later) for the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin.
- Restrict access to the Event Calendar widget to prevent Author-level access and above.
- Implement additional input sanitization and output escaping measures.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-08T13:16:57.380Z and last modified on 2026-07-08T15:16:32.627Z. The NVD entry is currently Deferred. There are several references to the CVE record and NVD detail, including from [email protected]. The vulnerability affects the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T13:16:57.380Z and has not been modified since then. The NVD entry is currently Deferred.