CVE-2026-2600

MEDIUM

ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2600. PoCs published by FOLKS-iwd.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-2600, an authenticated stored XSS vulnerability in ElementsKit Elementor Addons <= 3.7.9. The exploit leverages insufficient output escaping in the Simple Tab widget, allowing contributors to inject arbitrary HTML/JavaScript via the REST API.

Description

The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ekit_tab_title' parameter in the Simple Tab widget in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

nomisec WORKING POC
by FOLKS-iwd · poc
https://github.com/FOLKS-iwd/CVE-2026-2600-POC

This repository contains a functional exploit PoC for CVE-2026-2600, an authenticated stored XSS vulnerability in ElementsKit Elementor Addons <= 3.7.9. The exploit leverages insufficient output escaping in the Simple Tab widget, allowing contributors to inject arbitrary HTML/JavaScript via the REST API.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: ElementsKit Elementor Addons <= 3.7.9
Auth required
Prerequisites: Contributor-level WordPress account · REST API access · ElementsKit plugin <= 3.7.9
devstral-2 · analyzed Apr 21, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.4
EPSS 0.0029
EPSS Percentile 20.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
roxnor/ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor < 3.7.9
Published Apr 04, 2026
Tracked Since Apr 04, 2026