Description
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget's print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
INFO
Published Date :
2026-05-01T05:29:53.183Z
Last Modified :
2026-05-01T05:29:53.183Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-6127 vulnerability.
| Vendors | Products |
|---|---|
| Elemntor |
|
| Wordpress |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-6127.
