CVE-2026-11603
Description
WordPress Product Filter Widget for Elementor plugin vulnerable to Reflected XSS via filterFormArray parameter, affecting all versions up to 1.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Product Filter Widget for Elementor plugin vulnerable to Reflected XSS via filterFormArray parameter, affecting all versions up to 1.0.6.
Vulnerability
The Product Filter Widget for Elementor plugin for WordPress versions up to and including 1.0.6 is vulnerable to Reflected Cross-Site Scripting. This vulnerability exists in the args[filterFormArray] parameter due to insufficient input sanitization and output escaping.
Exploitation
An unauthenticated attacker can exploit this vulnerability by tricking a victim into clicking a crafted link. The attack targets the wp_ajax_nopriv_ endpoint, which lacks nonce verification and capability checks. Exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to host a malicious page that the victim visits [1].
Impact
Successful exploitation allows an unauthenticated attacker to inject arbitrary web scripts into pages viewed by the victim. This can lead to various client-side attacks, such as session hijacking or credential theft, depending on the injected script.
Mitigation
Versions of the Product Filter Widget for Elementor plugin up to and including 1.0.6 are affected. A patched version is available as of version 1.0.7, released on 2023-09-29. Users are strongly advised to update to version 1.0.7 or later immediately.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient input sanitization and output escaping in the Product Filter Widget for Elementor plugin allows for arbitrary script injection."
Attack vector
An unauthenticated attacker can craft a malicious link that, when clicked by a victim, injects arbitrary web scripts into a page. This is possible because the endpoint is registered via `wp_ajax_nopriv_` without nonce verification or capability checks. Exploitation is delivered via a CSRF-style form auto-submission to the `admin-ajax.php` endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page [ref_id=1]. The vulnerability lies in the handling of the 'args[filterFormArray]' parameter.
Affected code
The vulnerability exists within the `Eszpf_Ajax_Handler` class, specifically in the `eszlwcf_filter_product_result_ajax` function which processes the `filterFormArray` parameter without adequate sanitization or escaping before outputting it. The relevant code snippet can be found in the `inc/controller/Eszpf_Ajax_Handler.php` file around line 117 [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests updating the plugin to a patched version once available.
Preconditions
- authThe attacker does not need any authentication.
- inputThe attacker needs to control a page that can trick a victim into clicking a link or submitting a form.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.