CVE-2026-45437

Vulnerability

The Product Filter Widget for Elementor plugin for WordPress, in versions up to and including 1.0.6, contains an unauthenticated Cross Site Scripting (XSS) vulnerability. The flaw exists in the product filter functionality, where unsanitized user input is reflected or stored without proper escaping, allowing injection of arbitrary HTML and JavaScript.

Exploitation

An unauthenticated attacker can trigger the vulnerability by crafting a malicious URL or input that, when processed by the plugin's filter widget, injects a script payload. While the vulnerability can be initiated without authentication, successful exploitation requires a privileged user to perform an action — such as clicking a malicious link, visiting a crafted page, or submitting a form — to execute the injected script in the context of the victim's browser session [1].

Impact

Successful exploitation allows the attacker to inject arbitrary scripts, redirects, advertisements, or other HTML payloads into the target website. These payloads execute when any visitor (including administrators) loads the affected page, leading to potential information disclosure, session hijacking, defacement, or redirection to malicious sites [1].

Mitigation

As of the publication date, an official patch is not yet available. Users are advised to immediately update the plugin when a patched version is released. If unable to update, administrators should contact their hosting provider or web developer for assistance. Patchstack has issued an automated mitigation rule that blocks attacks until an official fix can be tested and applied [1].