CVE-2026-9243: Stored XSS in Plus Addons for Elementor Carousel Widget
The Plus Addons for Elementor plugin contains a flaw that allows authenticated WordPress users with contributor-level permissions or higher to inject malicious scripts into website pages. When a victim visits an affected page, the injected script executes in their browser, potentially compromising their session or stealing data. The vulnerability exists in the Carousel Anything widget's handling of the carousel_direction parameter and affects versions up to 6.4.15.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9243 is a Stored Cross-Site Scripting (XSS) vulnerability in Plus Addons for Elementor versions ≤6.4.15. The Carousel Anything widget's render() function fails to properly escape the carousel_direction parameter before inserting it into an unquoted HTML dir= attribute. Although esc_attr() is called, the unquoted attribute context allows bypass through special characters, enabling attribute injection. An authenticated attacker with contributor or higher role can craft malicious input that persists in the WordPress database and executes whenever the page is viewed, affecting all site visitors.
Business impact
This vulnerability creates a persistent threat to website integrity and visitor security. An insider threat—or a compromised contributor account—can deface content, redirect users to malicious sites, steal authentication tokens, or deploy malware. For multi-author sites, editorial teams are exposed. The stored nature means the attack remains active until discovery and remediation, potentially affecting hundreds or thousands of page views. Customer trust and SEO reputation are at risk if exploited for phishing or malware distribution.
Affected systems
Plus Addons for Elementor plugin version 6.4.15 and all earlier versions are vulnerable. The vulnerability is triggered only when the Carousel Anything widget is used with the vulnerable carousel_direction parameter. Sites running later patched versions, or those not using this specific widget, are unaffected. The attack requires an authenticated WordPress user account with at least contributor-level capabilities.
Exploitability
Exploitability is moderate. An attacker must possess valid WordPress credentials at contributor level or above—a realistic scenario for sites with multiple editors, freelance contributors, or compromised accounts. No network access restrictions apply; exploitation occurs through normal WordPress UI or REST API. The attack requires no user interaction beyond the victim visiting the compromised page. However, the attacker cannot escalate privileges or execute code on the server itself; impact is limited to client-side browser context and session data.
Remediation
Update Plus Addons for Elementor to a patched version released after 6.4.15 (verify the exact version against the plugin's official changelog and security advisories). After patching, audit all pages containing the Carousel Anything widget to confirm no malicious carousel_direction values are stored. Review contributor account activity logs for suspicious carousel widget edits. Consider temporarily restricting Carousel Anything widget access to trusted authors pending patch deployment.
Patch guidance
Check the official Plus Addons for Elementor plugin repository or vendor security page for version 6.4.16 or later. Apply the update through the WordPress admin dashboard (Plugins → Updates) or manually via SFTP/file manager. Test on a staging environment first to ensure compatibility with your theme and other plugins. After deployment, flush any caching layers (page cache, CDN, object cache). Verify the widget functionality on pages using the Carousel Anything element. No database migration or manual code changes should be necessary; the patch should be transparent.
Detection guidance
Examine page and post revisions for Carousel Anything widget configurations, especially the carousel_direction parameter, for anomalous or suspicious values (e.g., containing quotes, angle brackets, or event handler syntax). Check WordPress user activity logs (via security plugins like Wordfence or audit logs) for contributor+ users editing pages with this widget around the published or modified dates of this CVE. Search database backups for stored payloads using grep patterns like dir=".*['";] or event handlers in widget serialized data. Monitor browser console errors on pages with Carousel Anything widgets for script injection warnings.
Why prioritize this
Although rated MEDIUM severity (CVSS 6.4), prioritize patching based on site role. High-priority: Multi-author sites, SaaS platforms with user-generated content, and public-facing WordPress installations. Moderate-priority: Single-author blogs or internal sites. The stored XSS nature, combined with contributor-level access prevalence in many organizations, elevates practical risk beyond the numerical score. Automated attack is unlikely but manual exploitation by insiders or account compromise is credible.
Risk score, explained
CVSS 3.1 score of 6.4 (MEDIUM) reflects: Attack Vector Network (easy remote access via WordPress), Attack Complexity Low (straightforward parameter injection), Privileges Required Low (contributor role common), User Interaction None (no victim action needed), Scope Changed (can affect other users), Confidentiality Low (session/data theft possible), Integrity Low (content modification), Availability None (no DoS). The score does not reflect organizational context; sites with relaxed contributor access or sensitive data may face elevated practical risk.
Frequently asked questions
Can a site visitor or an unauthenticated user exploit this?
No. The vulnerability requires valid WordPress login credentials at contributor level or higher. Unauthenticated visitors cannot inject the malicious payload; they can only be harmed by visiting a page where another authenticated user has already injected it.
What happens if I update the plugin—will stored malicious payloads be cleaned?
Updating the plugin prevents new injections but does not automatically remove existing payloads stored in the database. You must manually audit and clean affected page revisions, or restore from a clean backup taken before exploitation.
Does this affect the Elementor plugin itself or only Plus Addons?
This affects only the Plus Addons for Elementor plugin (a third-party extension). The core Elementor plugin is unaffected. Ensure you are patching the correct product: 'Plus Addons for Elementor,' not 'Elementor' itself.
Is there a WAF rule or mitigation while waiting for a patch?
No single WAF rule will reliably block this since it's stored XSS (payload is already in your database). Focus on access control: limit contributor roles, audit account activity, and apply the patch as soon as possible. Consider temporarily disabling the Carousel Anything widget if available in plugin settings.
This analysis is based on publicly disclosed vulnerability information current as of the publication date. Security researchers and organizations are encouraged to verify patch availability and compatibility in their specific environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of affected product lists or patch version numbers; consult official vendor advisories for authoritative guidance. Exploitation requires valid WordPress credentials and is not automatically weaponized; organizations should assess their own access control posture. For incident response or suspected compromise, engage professional security services. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1