cvedb.io
CVE-2026-12869
UNKNOWN · CVSS n/a
EPSS exploitation probability: 0%
Published 2026-07-16T07:16:47.300 · Last modified 2026-07-16T07:16:47.300

Summary

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.