Stored Cross-Site Scripting Vulnerability in Plus Addons for Elementor Plugin by WordPress
CVE-2026-9243
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 29 May 2026
What is CVE-2026-9243?
The Plus Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks due to insufficient output escaping when handling the 'carousel_direction' parameter in the Carousel Anything widget. Authenticated attackers with contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts via unquoted HTML attributes. The flaw exists in versions up to and including 6.4.15, creating a security risk for users accessing affected pages.
Affected Version(s)
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce 0 <= 6.4.15