Description
The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
Any version
Timeline
| 2026-05-20: | Vendor Notified |
| 2026-05-21: | Disclosed |
Credits
theviper17y
References
www.wordfence.com/...-67e5-488d-b80a-49a61678fb98?source=cve
plugins.trac.wordpress.org/.../modules/widgets/tp_button.php
plugins.trac.wordpress.org/.../modules/widgets/tp_button.php
plugins.trac.wordpress.org/...10/modules/helper-function.php
plugins.trac.wordpress.org/.../modules/widgets/tp_button.php