Stored Cross-Site Scripting Vulnerability in Plus Addons for Elementor Plugin by WordPress
CVE-2026-9243

6.4MEDIUM

What is CVE-2026-9243?

The Plus Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks due to insufficient output escaping when handling the 'carousel_direction' parameter in the Carousel Anything widget. Authenticated attackers with contributor-level access or higher can exploit this vulnerability by injecting arbitrary web scripts via unquoted HTML attributes. The flaw exists in versions up to and including 6.4.15, creating a security risk for users accessing affected pages.

Affected Version(s)

The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce 0 <= 6.4.15

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

João Pedro S Alcântara (Kinorth)
.