Reflected Cross-Site Scripting Vulnerability in Product Filter Widget for Elementor
CVE-2026-11603

6.1MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
9 June 2026

What is CVE-2026-11603?

The Product Filter Widget for Elementor plugin for WordPress suffers from a reflected cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue affects all versions up to and including 1.0.6. Attackers can exploit this vulnerability by injecting arbitrary web scripts through the 'args[filterFormArray]' parameter. If a user interacts with a crafted link, it can lead to the unintended execution of malicious scripts, putting users at risk. The flaw is exacerbated by the absence of nonce verification or capability checks in the wp_ajax_nopriv_ endpoint, allowing unauthorized access. This vulnerability requires user interaction, making it vital for administrators and users to remain vigilant against potential threats.

Affected Version(s)

Product Filter Widget for Elementor 0 <= 1.0.6

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JongWook Gong
.