CVE-2026-9243
Description
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Plus Addons for Elementor plugin up to version 6.4.15 is vulnerable to Stored XSS via the 'carousel_direction' parameter due to insufficient output escaping in the Carousel Anything widget.
Vulnerability
The Carousel Anything widget in the Plus Addons for Elementor plugin for WordPress, versions up to and including 6.4.15, contains a Stored Cross-Site Scripting vulnerability via the carousel_direction parameter. The render() function places the attacker-controlled value into an unquoted HTML attribute (dir=) despite using esc_attr(), allowing attribute injection. This flaw enables the injection of arbitrary web scripts [1][2].
Exploitation
An attacker must have at least contributor-level access to the WordPress site. By editing or creating a page or post containing the vulnerable Carousel Anything widget, the attacker can set the carousel_direction parameter to a malicious payload, such as ltr onmouseover=alert(1). The injected script will be stored in the database and executed when any user accesses the compromised page, due to the missing quote around the attribute value [1][2].
Impact
Successful exploitation allows authenticated attackers with contributor-level privileges to perform stored cross-site scripting attacks. When a victim visits the compromised page, the attacker's script executes in the context of the victim's session, potentially leading to session hijacking, credential theft, defacement, or further malicious actions. The impact is limited to users who interact with the injected page [1][2].
Mitigation
As of the publication date (2026-05-29), a fixed version has not been released. Users should monitor the plugin's official repository or vendor site for an update beyond version 6.4.15. As a workaround, site administrators can restrict contributor-level access to trusted users only or disable the Carousel Anything widget if not essential [1][2].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=6.4.15
- Range: <=6.4.15
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.4.15/modules/widgets/tp_carousel_anything.phpnvd
- plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.4.15/modules/widgets/tp_carousel_anything.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/699e41ad-1991-4100-9ef2-caea7743e45bnvd
News mentions
0No linked articles in our index yet.