GHSA-653v-fpr2-j969MediumCVSS 6.4

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+)...

Published
July 10, 2026
Last Modified
July 10, 2026

🔗 CVE IDs covered (1)

📋 Description

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's custom_attributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tp_button.php passed the raw custom_attributes string through tp_senitize_js_input(). This filter is bypassable. The issue is patched in version 6.4.12.

🔗 References (7)