Description
The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Product Filter Widget for Elementor plugin contains a reflected cross‑site scripting flaw in the 'args[filterFormArray]' parameter. Because the value is never sanitized or properly escaped before being sent to the browser, an unauthenticated attacker can insert arbitrary JavaScript that executes in the victim’s context when the payload is displayed. This allows session hijacking, defacement, or phishing attacks against users who follow a crafted link, making the vulnerability a classic XSS vector.

Affected Systems

WordPress sites running the Product Filter Widget for Elementor plugin by brthumar1959, versions up to and including 1.0.6 inclusive, are affected.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is not available, but the flaw can be exploited remotely via a CSRF‑style HTTP request to admin-ajax.php without authentication. The lack of nonce verification means an attacker only needs to trick a user into visiting an attacker‑controlled page that auto‑submits the malicious payload. Because the vulnerability does not require any administrative privileges, it can be used by any external actor against any vulnerable site. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 9, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a fixed release (1.0.7 or newer) that removes the XSS vector.
  • If an immediate update is not possible, remove or block the wp_ajax_nopriv_ action for the vulnerable endpoint, for example by adding a filter that removes the action hook or by disabling the plugin temporarily.
  • Deploy a web‑application firewall rule or .htaccess restriction that blocks requests to admin-ajax.php carrying the 'args[filterFormArray]' parameter until the plugin is upgraded.

Generated by OpenCVE AI on June 9, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Brthumar1959
Brthumar1959 product Filter Widget For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Brthumar1959
Brthumar1959 product Filter Widget For Elementor
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
Title Product Filter Widget for Elementor <= 1.0.6 - Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Brthumar1959 Product Filter Widget For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T15:19:33.016Z

Reserved: 2026-06-08T15:12:34.507Z

Link: CVE-2026-11603

cve-icon Vulnrichment

Updated: 2026-06-09T15:19:25.915Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:30.090

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-11603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:55Z

Weaknesses