PatchSiren cyber security CVE debrief
CVE-2026-8677 wpmessiah CVE debrief
The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Vendor
- wpmessiah
- Product
- Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress, particularly those with contributor-level access and above.
Technical summary
The vulnerability exists due to insufficient input sanitization and output escaping in the Widget HTML Tag Settings. An authenticated attacker with contributor-level access and above can inject arbitrary web scripts, which will execute when a user accesses the injected page.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of the plugin (if available).
- Restrict access to the plugin's settings to trusted users only.
- Monitor for suspicious activity on the website.
Evidence notes
The vulnerability was reported by [email protected].
Official resources
CVE-2026-8677 was published on 2026-06-09T09:16:31.310Z and modified on 2026-06-09T13:33:34.393Z.