Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-5243: XSS in The Plus Addons for Elementor
Platform
wordpress
Component
the-plus-addons-for-elementor-page-builder
Opgelost in
6.4.12
CVE-2026-5243 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in The Plus Addons for Elementor, a popular WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts. Successful exploitation can lead to session hijacking, defacement, or other malicious actions impacting website visitors. The vulnerability affects versions from 0.0.0 up to and including 6.4.11, and a patch is available in version 6.4.12.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The primary impact of CVE-2026-5243 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, deface the website, or inject malware. Given the plugin's popularity and integration with Elementor, a widely used page builder, a successful attack could impact a large number of WordPress sites. The requirement for contributor-level access limits the immediate attack surface, but it's still a significant risk for sites with poorly managed user permissions.
Uitbuitingscontextwordt vertaald…
CVE-2026-5243 was published on May 14, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be medium, reflecting the requirement for authenticated access and the availability of a straightforward fix. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that such code will emerge. Refer to the official The Plus Addons for Elementor advisory for further details.
Dreigingsinformatie
Exploit Status
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The most effective mitigation for CVE-2026-5243 is to immediately upgrade The Plus Addons for Elementor to version 6.4.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Navigation Menu Lite widget to trusted administrators only. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the menuhoverclick parameter can provide an additional layer of protection. Regularly review user permissions and ensure that only necessary roles are granted to contributors.
Hoe te verhelpen
Update naar versie 6.4.12, of een nieuwere gepatchte versie
Veelgestelde vragenwordt vertaald…
What is CVE-2026-5243 — XSS in The Plus Addons for Elementor?
CVE-2026-5243 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor WordPress plugin. It allows authenticated attackers to inject malicious scripts via the menuhoverclick parameter, potentially leading to session hijacking and defacement.
Am I affected by CVE-2026-5243 in The Plus Addons for Elementor?
You are affected if you are using The Plus Addons for Elementor plugin in versions 0.0.0 through 6.4.11. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-5243 in The Plus Addons for Elementor?
Upgrade The Plus Addons for Elementor plugin to version 6.4.12 or later. If immediate upgrade is not possible, restrict access to the Navigation Menu Lite widget to trusted administrators.
Is CVE-2026-5243 being actively exploited?
As of the current date, there are no confirmed reports of active exploitation in the wild. However, the vulnerability's nature makes it likely that exploitation attempts may occur.
Where can I find the official The Plus Addons for Elementor advisory for CVE-2026-5243?
Refer to the official The Plus Addons for Elementor website and WordPress plugin repository for the latest advisory and update information. Search for CVE-2026-5243 on their support pages.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...