免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-5243CVSS 6.4

CVE-2026-5243: XSS in The Plus Addons for Elementor

平台

wordpress

组件

the-plus-addons-for-elementor-page-builder

修复版本

6.4.12

在NVD查看
保存
正在翻译为您的语言…

CVE-2026-5243 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in The Plus Addons for Elementor, a popular WordPress plugin. This flaw allows authenticated attackers, possessing contributor-level access or higher, to inject arbitrary web scripts. Successful exploitation can lead to session hijacking, defacement, or other malicious actions impacting website visitors. The vulnerability affects versions from 0.0.0 up to and including 6.4.11, and a patch is available in version 6.4.12.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The primary impact of CVE-2026-5243 is the ability for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can be leveraged to steal session cookies, allowing the attacker to impersonate the user. Malicious scripts could also be used to redirect users to phishing sites, deface the website, or inject malware. Given the plugin's popularity and integration with Elementor, a widely used page builder, a successful attack could impact a large number of WordPress sites. The requirement for contributor-level access limits the immediate attack surface, but it's still a significant risk for sites with poorly managed user permissions.

利用背景翻译中…

CVE-2026-5243 was published on May 14, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is likely to be medium, reflecting the requirement for authenticated access and the availability of a straightforward fix. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that such code will emerge. Refer to the official The Plus Addons for Elementor advisory for further details.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

CISA SSVC

利用情况none
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N6.4MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件the-plus-addons-for-elementor-page-builder
供应商wordfence
最低版本0.0.0
最高版本6.4.11
修复版本6.4.12

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期

缓解措施和替代方案翻译中…

The most effective mitigation for CVE-2026-5243 is to immediately upgrade The Plus Addons for Elementor to version 6.4.12 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the Navigation Menu Lite widget to trusted administrators only. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the menuhoverclick parameter can provide an additional layer of protection. Regularly review user permissions and ensure that only necessary roles are granted to contributors.

修复方法

更新到 6.4.12 版本,或更新的补丁版本

常见问题翻译中…

What is CVE-2026-5243 — XSS in The Plus Addons for Elementor?

CVE-2026-5243 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor WordPress plugin. It allows authenticated attackers to inject malicious scripts via the menuhoverclick parameter, potentially leading to session hijacking and defacement.

Am I affected by CVE-2026-5243 in The Plus Addons for Elementor?

You are affected if you are using The Plus Addons for Elementor plugin in versions 0.0.0 through 6.4.11. Check your plugin version and upgrade immediately if vulnerable.

How do I fix CVE-2026-5243 in The Plus Addons for Elementor?

Upgrade The Plus Addons for Elementor plugin to version 6.4.12 or later. If immediate upgrade is not possible, restrict access to the Navigation Menu Lite widget to trusted administrators.

Is CVE-2026-5243 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation in the wild. However, the vulnerability's nature makes it likely that exploitation attempts may occur.

Where can I find the official The Plus Addons for Elementor advisory for CVE-2026-5243?

Refer to the official The Plus Addons for Elementor website and WordPress plugin repository for the latest advisory and update information. Search for CVE-2026-5243 on their support pages.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描
live免费扫描

立即扫描您的WordPress项目 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...