CVE-2026-15285 PUBLISHED

The Plus Addons for Elementor <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes

Assigner: Wordfence
Reserved: 09.07.2026 Published: 10.07.2026 Updated: 10.07.2026

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's custom_attributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tp_button.php passed the raw custom_attributes string through tp_senitize_js_input(). This filter is bypassable. The issue is patched in version 6.4.12.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4

Product Status

Vendor posimyththemes
Product The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Versions Default: unaffected
  • affected from 0 to 6.4.11 (incl.)

Credits

  • theviper17y finder

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE