CVE-2026-2949: Xpro Addons XSS Vulnerability (≤1.4.24)
Platform
wordpress
Component
xpro-elementor-addons
Fixed in
1.4.25
CVE-2026-2949 is a stored Cross-Site Scripting (XSS) vulnerability in the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when a user accesses the injected page. The affected versions are up to and including 1.4.24. The vulnerability is fixed in version 1.4.25.
How to fix
Update to version 1.4.25, or a newer patched version
Frequently asked questions
What is CVE-2026-2949?
CVE-2026-2949 is a stored Cross-Site Scripting (XSS) vulnerability in the Xpro Addons plugin for WordPress, allowing authenticated attackers to inject malicious scripts.
Am I affected by CVE-2026-2949?
You are affected if you are using the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress, versions up to and including 1.4.24.
How do I fix CVE-2026-2949?
To fix CVE-2026-2949, update the Xpro Addons — 140+ Widgets for Elementor plugin to version 1.4.25 or later.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free