CVE-2026-15299 MEDIUM

CVE-2026-15299: Animation Addons for Elementor <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Weather Widget

Vendor Wealcoder
Product Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates
Weakness CWE-79 · XSS
Published July 10, 2026
Last update July 10, 2026

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page (the Weather widget requires an OpenWeatherMap API key to reach the vulnerable output, which is the normal operational state for sites using this widget).

Explanation of Vulnerability in Simple Terms

02Summary

Animation Addons for Elementor versions up to 2.6.3 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts that execute in the browsers of other site visitors, potentially compromising their sessions or stealing data. The vulnerability affects the site's scope, meaning impacts may extend beyond the plugin itself.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers when they view affected pages.

Potential impact on your site

04Site Impact

Visitors' sessions and data can be compromised by malicious scripts injected by low-privilege users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

July 10, 2026 CVE published
July 10, 2026 Record updated

Related vulnerabilities

08Related CVE