Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-5243: XSS in The Plus Addons for Elementor
Plataforma
wordpress
Componente
the-plus-addons-for-elementor-page-builder
Corregido en
6.4.12
CVE-2026-5243 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in The Plus Addons for Elementor, a popular WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts. Successful exploitation can lead to session hijacking, defacement, or other malicious actions impacting website visitors. The vulnerability affects versions from 0.0.0 up to and including 6.4.11, and a patch is available in version 6.4.12.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Impacto y Escenarios de Ataquetraduciendo…
The primary impact of CVE-2026-5243 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, deface the website, or inject malware. Given the plugin's popularity and integration with Elementor, a widely used page builder, a successful attack could impact a large number of WordPress sites. The requirement for contributor-level access limits the immediate attack surface, but it's still a significant risk for sites with poorly managed user permissions.
Contexto de Explotacióntraduciendo…
CVE-2026-5243 was published on May 14, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be medium, reflecting the requirement for authenticated access and the availability of a straightforward fix. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that such code will emerge. Refer to the official The Plus Addons for Elementor advisory for further details.
Inteligencia de Amenazas
Estado del Exploit
CISA SSVC
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Bajo — cualquier cuenta de usuario válida es suficiente.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Cambiado — el ataque puede pivotar a otros sistemas más allá del componente vulnerable.
- Confidentiality
- Bajo — acceso parcial o indirecto a algunos datos.
- Integrity
- Bajo — el atacante puede modificar algunos datos con alcance limitado.
- Availability
- Ninguno — sin impacto en disponibilidad.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Reservado
- Publicada
Mitigación y Workaroundstraduciendo…
The most effective mitigation for CVE-2026-5243 is to immediately upgrade The Plus Addons for Elementor to version 6.4.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Navigation Menu Lite widget to trusted administrators only. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the menuhoverclick parameter can provide an additional layer of protection. Regularly review user permissions and ensure that only necessary roles are granted to contributors.
Cómo corregirlo
Actualizar a la versión 6.4.12, o una versión parcheada más reciente
Preguntas frecuentestraduciendo…
What is CVE-2026-5243 — XSS in The Plus Addons for Elementor?
CVE-2026-5243 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor WordPress plugin. It allows authenticated attackers to inject malicious scripts via the menuhoverclick parameter, potentially leading to session hijacking and defacement.
Am I affected by CVE-2026-5243 in The Plus Addons for Elementor?
You are affected if you are using The Plus Addons for Elementor plugin in versions 0.0.0 through 6.4.11. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-5243 in The Plus Addons for Elementor?
Upgrade The Plus Addons for Elementor plugin to version 6.4.12 or later. If immediate upgrade is not possible, restrict access to the Navigation Menu Lite widget to trusted administrators.
Is CVE-2026-5243 being actively exploited?
As of the current date, there are no confirmed reports of active exploitation in the wild. However, the vulnerability's nature makes it likely that exploitation attempts may occur.
Where can I find the official The Plus Addons for Elementor advisory for CVE-2026-5243?
Refer to the official The Plus Addons for Elementor website and WordPress plugin repository for the latest advisory and update information. Search for CVE-2026-5243 on their support pages.
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Escanea tu proyecto WordPress ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...