Back to overview

CVE-2026-15285

MEDIUM
6.4
CVSS 3.1
Description
The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.

Metadata

CVE ID
CVE-2026-15285
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-09 15:49 UTC
Published
2026-07-10 04:31 UTC
Last updated
2026-07-10 04:31 UTC
Primary CWE
CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product
posimyththemes / The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
Sources
cve.org  ·  NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
posimyththemes The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce 0 ≤ 6.4.11
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Back to overview