PT-2026-44759 · WordPress · The Plus Addons For Elementor
João Pedro Soares De Alcântara
+1
·
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-9243
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Plus Addons for Elementor versions prior to 6.4.16
Description
The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. The issue exists in the Carousel Anything widget due to insufficient output escaping within the
render() function. Specifically, the carousel direction parameter is placed into an unquoted HTML attribute (dir=), which allows attribute injection even when esc attr() is used. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages that execute when accessed by other users.Recommendations
Update to a version later than 6.4.15.
As a temporary workaround, restrict access to the Carousel Anything widget or avoid using the
carousel direction parameter until the update is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Plus Addons For Elementor