Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-5243: XSS in The Plus Addons for Elementor
Plataforma
wordpress
Componente
the-plus-addons-for-elementor-page-builder
Corrigido em
6.4.12
CVE-2026-5243 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in The Plus Addons for Elementor, a popular WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts. Successful exploitation can lead to session hijacking, defacement, or other malicious actions impacting website visitors. The vulnerability affects versions from 0.0.0 up to and including 6.4.11, and a patch is available in version 6.4.12.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-5243 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, deface the website, or inject malware. Given the plugin's popularity and integration with Elementor, a widely used page builder, a successful attack could impact a large number of WordPress sites. The requirement for contributor-level access limits the immediate attack surface, but it's still a significant risk for sites with poorly managed user permissions.
Contexto de Exploraçãotraduzindo…
CVE-2026-5243 was published on May 14, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be medium, reflecting the requirement for authenticated access and the availability of a straightforward fix. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that such code will emerge. Refer to the official The Plus Addons for Elementor advisory for further details.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Baixo — qualquer conta de usuário válida é suficiente.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Baixo — acesso parcial ou indireto a alguns dados.
- Integrity
- Baixo — o atacante pode modificar alguns dados com alcance limitado.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The most effective mitigation for CVE-2026-5243 is to immediately upgrade The Plus Addons for Elementor to version 6.4.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Navigation Menu Lite widget to trusted administrators only. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the menuhoverclick parameter can provide an additional layer of protection. Regularly review user permissions and ensure that only necessary roles are granted to contributors.
Como corrigir
Atualize para a versão 6.4.12, ou uma versão corrigida mais recente
Perguntas frequentestraduzindo…
What is CVE-2026-5243 — XSS in The Plus Addons for Elementor?
CVE-2026-5243 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor WordPress plugin. It allows authenticated attackers to inject malicious scripts via the menuhoverclick parameter, potentially leading to session hijacking and defacement.
Am I affected by CVE-2026-5243 in The Plus Addons for Elementor?
You are affected if you are using The Plus Addons for Elementor plugin in versions 0.0.0 through 6.4.11. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-5243 in The Plus Addons for Elementor?
Upgrade The Plus Addons for Elementor plugin to version 6.4.12 or later. If immediate upgrade is not possible, restrict access to the Navigation Menu Lite widget to trusted administrators.
Is CVE-2026-5243 being actively exploited?
As of the current date, there are no confirmed reports of active exploitation in the wild. However, the vulnerability's nature makes it likely that exploitation attempts may occur.
Where can I find the official The Plus Addons for Elementor advisory for CVE-2026-5243?
Refer to the official The Plus Addons for Elementor website and WordPress plugin repository for the latest advisory and update information. Search for CVE-2026-5243 on their support pages.
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Detecte esta CVE no seu projeto
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Escaneie seu projeto WordPress agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...