The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 05:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12. | |
| Title | The Plus Addons for Elementor <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes | |
| Weaknesses | CWE-79 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-10T04:31:21.781Z
Reserved: 2026-07-09T15:49:35.073Z
Link: CVE-2026-15285
No data.
No data.
No data.
OpenCVE Enrichment
No data.