Attack Vectors

PQ Addons – Creative Elementor Widgets (slug: peacefulqode-elementzplus-widgets) has a Medium-severity stored cross-site scripting (XSS) vulnerability (CVE-2026-1397, CVSS 6.4) affecting versions up to and including 1.0.0. An attacker must be authenticated with Contributor-level access or higher to exploit it.

In practical terms, this means any compromised or misused contributor account (including contractors, agencies, or internal users with elevated content permissions) could inject malicious script into a page built with the affected widget. The injected script would then execute when visitors or staff load that page—potentially including high-value pages such as landing pages, product pages, blog posts, or campaign microsites.

Reference: CVE-2026-1397. Source disclosure: Wordfence vulnerability record.

Security Weakness

The issue is caused by insufficient input sanitization and output escaping on a specific widget attribute: the html_tag parameter in the PQ Section Title widget. Because this parameter is not adequately validated/escaped, an authenticated attacker can store script payloads in content.

Stored XSS is particularly risky for business websites because it can persist across sessions and execute for multiple users over time, not just the attacker. The published advisory indicates no known patch is available at this time, so risk decisions should focus on mitigation and exposure reduction.

Technical or Business Impacts

If exploited, stored XSS may enable actions that harm brand and revenue outcomes—such as altering on-page content, redirecting visitors, injecting unwanted advertisements, or interfering with analytics and conversion tracking. It can also be used to target logged-in users (e.g., site editors or administrators) who visit the affected page, which may increase downstream risk depending on the environment and access controls.

Business impacts can include reputational damage (especially if campaign pages are defaced), reduced lead quality, loss of customer trust, and potential compliance concerns if site content is manipulated or if visitor interactions are impacted. While this CVE is rated Medium, the risk may be higher for organizations that rely heavily on WordPress content workflows with multiple contributor accounts.

Recommended mitigations (given no known patch): consider uninstalling PQ Addons – Creative Elementor Widgets and replacing it with an alternative; restrict or reduce Contributor+ access (especially for third parties); audit pages using the PQ Section Title widget for unexpected markup; and strengthen account security (MFA, least-privilege roles, and routine account reviews). Where feasible, add monitoring for unexpected content changes and implement a web application firewall policy to reduce the likelihood of successful script injection.

Similar attacks (real-world examples): Stored XSS is a common WordPress risk class and has affected major plugins in the past, including vulnerabilities disclosed in Elementor (XSS), Contact Form 7 (XSS), and WP Live Chat Support (XSS).