Description
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to stored cross-site scripting via the `menu_hover_click` parameter of the Navigation Menu Lite widget in all versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Plus Addons for Elementor plugin is vulnerable to stored cross‑site scripting through the menu_hover_click parameter of the Navigation Menu Lite widget in versions up to and including 6.4.11. The lack of input sanitization and output escaping allows an attacker with contributor-level access or higher to inject arbitrary scripts that execute whenever a page containing the widget is viewed. This can lead to credential theft, session hijacking or defacement. The weakness is identified as CWE‑79.

Affected Systems

Vendor posimyththemes provides the plugin The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce. All releases up to 6.4.11 are affected, including 6.4.11 itself.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium‑severity risk. EPSS data is not available, so the exploitation probability cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires authenticated access with contributor-level permissions, so the threat surface is limited to users who can modify plugin widgets. If such an access level exists, an attacker can inject scripts that run for every visitor to the affected page.

Generated by OpenCVE AI on May 14, 2026 at 07:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 6.4.12 or later, which contains the fixed input sanitization for the Navigation Menu Lite widget.
  • If an upgrade is not possible, disable or remove the Navigation Menu Lite widget from pages to eliminate the vulnerable input point.
  • Restrict contributor permissions and audit user roles to ensure that only trusted users can modify widget settings.

Generated by OpenCVE AI on May 14, 2026 at 07:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Posimyththemes
Posimyththemes the Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Posimyththemes
Posimyththemes the Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce
Wordpress
Wordpress wordpress

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to stored cross-site scripting via the `menu_hover_click` parameter of the Navigation Menu Lite widget in all versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Posimyththemes The Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:47:13.936Z

Reserved: 2026-03-31T14:35:42.185Z

Link: CVE-2026-5243

cve-icon Vulnrichment

Updated: 2026-05-14T10:47:08.816Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T06:16:23.947

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-5243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T07:45:15Z

Weaknesses