Home

Description

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.

PUBLISHED Reserved 2026-07-09 | Published 2026-07-10 | Updated 2026-07-10 | Assigner Wordfence




MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-05-20:Vendor Notified
2026-05-21:Disclosed

Credits

theviper17y finder

References

www.wordfence.com/...-67e5-488d-b80a-49a61678fb98?source=cve

plugins.trac.wordpress.org/.../modules/widgets/tp_button.php

plugins.trac.wordpress.org/.../modules/widgets/tp_button.php

plugins.trac.wordpress.org/...10/modules/helper-function.php

plugins.trac.wordpress.org/.../modules/widgets/tp_button.php

cve.org (CVE-2026-15285)

nvd.nist.gov (CVE-2026-15285)

Download JSON