Description
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the Plus Addons for Elementor plugin for WordPress when the carousel_direction parameter is insufficiently escaped. The value is inserted directly into an unquoted dir= attribute within the widget’s render function, permitting an authenticated contributor to embed JavaScript that executes for every visitor of the edited page.

Affected Systems

WordPress sites running the Plus Addons for Elementor plugin at version 6.4.15 or earlier, especially those using the Carousel Anything widget. The vendor is posimyththemes, providing the Plus Addons for Elementor suite of widgets and page templates.

Risk and Exploitability

Exploitation requires contributor‑level or higher authentication, which many sites grant to content editors. The CVSS score of 6.4 reflects moderate severity, and while EPSS data is unavailable and the flaw is not yet listed in CISA KEV, the stored XSS payload can affect all site visitors, making the risk significant for sites that allow contributors to edit widget content.

Generated by OpenCVE AI on May 29, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Plus Addons for Elementor plugin to version 6.4.16 or later, where the carousel_direction output is properly escaped.
  • If an immediate upgrade is not possible, remove the Carousel Anything widget from all pages or disable the widget for contributors until the patch is applied.
  • Restrict contributor role permissions to limit editing privileges for the Carousel Anything widget or revoke contributor access until the vulnerability is fixed.

Generated by OpenCVE AI on May 29, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:06:02.975Z

Reserved: 2026-05-21T19:17:51.867Z

Link: CVE-2026-9243

cve-icon Vulnrichment

Updated: 2026-05-29T10:05:58.362Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T08:16:19.627

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-9243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T08:30:26Z

Weaknesses