PT-2026-44759 · WordPress · The Plus Addons For Elementor

João Pedro Soares De Alcântara

+1

·

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-9243

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor versions prior to 6.4.16
Description The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. The issue exists in the Carousel Anything widget due to insufficient output escaping within the render() function. Specifically, the carousel direction parameter is placed into an unquoted HTML attribute (dir=), which allows attribute injection even when esc attr() is used. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages that execute when accessed by other users.
Recommendations Update to a version later than 6.4.15. As a temporary workaround, restrict access to the Carousel Anything widget or avoid using the carousel direction parameter until the update is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9243

Affected Products

The Plus Addons For Elementor