Impact
Untrusted input is injected into page output without proper escaping, creating a reflected Cross Site Scripting flaw. This allows an attacker to run arbitrary JavaScript in the context of any user who views a crafted page, potentially leading to session hijacking, credential theft, defacement, or drive‑by downloads. The weakness is identified as CWE‑79.
Affected Systems
Bhavin Thummar’s Product Filter Widget for Elementor plugin for WordPress is impacted. Any installation of version 1.0.6 or earlier is vulnerable.
Risk and Exploitability
The CVSS score of 7.1 indicates a high‑severity flaw, while the EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in CISA’s KEV catalog. The likely attack vector involves manipulating a URL or form that the plugin renders without sanitization, which is inferred from the description rather than explicitly stated.
OpenCVE Enrichment