{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39703", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:22.475Z", "datePublished": "2026-04-08T08:30:47.201Z", "dateUpdated": "2026-04-08T08:30:47.201Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpbits-addons-for-elementor", "product": "WPBITS Addons For Elementor Page Builder", "vendor": "wpbits", "versions": [{"lessThanOrEqual": "1.8.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:46.081Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.<p>This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:47.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpbits-addons-for-elementor/vulnerability/wordpress-wpbits-addons-for-elementor-page-builder-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WPBITS Addons For Elementor Page Builder plugin <= 1.8.1 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through <= 1.8.1."}], "id": "CVE-2026-39703", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:42.950", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpbits-addons-for-elementor/vulnerability/wordpress-wpbits-addons-for-elementor-page-builder-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WPBITS Addons For Elementor Page Builder", "source": "cna", "vendor": "wpbits"}, "product": "wpbits_addons_for_elementor_page_builder", "vendor": "wpbits"}], "analysis": {"en": {"generated_at": "2026-04-08T11:06:22.855737+00:00", "value": {"mitigation_remediation": ["Update WPBITS Addons For Elementor Page Builder to a version newer than 1.8.1 if available.", "If an update is not immediately available, consider disabling the plugin or removing untrusted widget content.", "Check the vendor\u2019s website or support channels for new patches or advisories."], "summary": {"action": "Patch", "impact": "Cross-site scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the WPBITS Addons For Elementor Page Builder plugin supplied by wpbits. Any installation of version 1.8.1 or earlier is susceptible; later versions are presumed fixed. Sites using this plugin on WordPress are at risk.", "description_and_impact": "The plugin contains a stored cross-site scripting flaw that allows an attacker to insert malicious JavaScript into content fields that are later rendered on visitor pages. If exploited, the script runs in the browser context of any user viewing the affected page, enabling session hijacking, credential theft, defacement, or redirection to malicious sites. This poses a significant risk to confidentiality, integrity, and availability for sites that publish content through the widget or editor.", "risk_and_exploitability": "The likely attack vector involves an authenticated or otherwise privileged user submitting malicious content via the plugin\u2019s editor or widget fields, which is stored and later rendered to all visitors. No EPSS score or KEV status is available, but stored XSS is generally considered a severe risk due to its ability to affect every page visitor without additional action. The absence of a public patch in the CVE record indicates that updating to a version newer than 1.8.1 is necessary; until such a patch is applied, the vulnerability remains exploitable."}}}}, "created": "2026-04-08T19:27:31.754685+00:00", "updated": "2026-04-08T19:40:16.083440+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpbits", "wpbits$PRODUCT$wpbits_addons_for_elementor_page_builder"]}