Reflected Cross-Site Scripting Vulnerability in Product Filter Widget for Elementor
CVE-2026-11603
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 June 2026
What is CVE-2026-11603?
The Product Filter Widget for Elementor plugin for WordPress suffers from a reflected cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue affects all versions up to and including 1.0.6. Attackers can exploit this vulnerability by injecting arbitrary web scripts through the 'args[filterFormArray]' parameter. If a user interacts with a crafted link, it can lead to the unintended execution of malicious scripts, putting users at risk. The flaw is exacerbated by the absence of nonce verification or capability checks in the wp_ajax_nopriv_ endpoint, allowing unauthorized access. This vulnerability requires user interaction, making it vital for administrators and users to remain vigilant against potential threats.
Affected Version(s)
Product Filter Widget for Elementor 0 <= 1.0.6