Skip to main content

Product Filter Widget for Elementor CVE-2026-11603

| EUVD-2026-35316 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 Wordfence GHSA-h2xw-xgmr-9632
PHP XSS CSRF WordPress Elementor
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 05:29 vuln.today
CVE Published
Jun 09, 2026 - 03:41 nvd
MEDIUM 6.1

DescriptionCVE.org

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.

AnalysisAI

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker crafts auto-submitting form page
Delivery
Distributes phishing link to target site users
Exploit
Victim visits attacker-controlled page
Install
Browser auto-submits POST to admin-ajax.php with malicious args[filterFormArray]
C2
Server reflects unsanitized payload in response
Execute
Injected script executes in victim's browser context
Impact
Attacker achieves session theft or unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable endpoint is registered via wp_ajax_nopriv_, meaning it is accessible to all visitors without any WordPress authentication - no login or account is required to send the malicious request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects a medium-severity finding with a meaningful real-world constraint: UI:R mandates that the victim actively visit an attacker-controlled page, which introduces a social-engineering dependency that tempers automated exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a webpage containing a hidden HTML form that auto-submits via JavaScript to the target site's admin-ajax.php endpoint, injecting a malicious script payload into the 'args[filterFormArray]' POST parameter. The attacker distributes a link to this page via phishing email or social media to users of the target WordPress site; when any user visits the attacker's page, the form submits automatically, the server reflects the unsanitized payload back in the response, and the JavaScript executes in the victim's browser - potentially stealing session cookies or performing actions on behalf of the authenticated user. …
Remediation No vendor-released patched version has been confirmed from the available intelligence data; site owners should monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/e25ef117-72c4-4696-9248-5caa937b47e9?source=cve for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-11603 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy