CVE-2026-15285 in Plus Addons for Elementor Plugininfo

Summary

by MITRE • 07/10/2026

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The Plus Addons for Elementor plugin represents a popular extension for WordPress that enhances the functionality of the Elementor page builder with additional widgets and features. This particular vulnerability affects versions up to and including 6.4.11 where an authenticated stored cross-site scripting flaw exists within the Button widget's custom_attributes parameter. The vulnerability occurs when users with contributor privileges or higher attempt to add custom attributes to button elements, creating a persistent security risk that can be exploited by attackers who have gained access to these lower privilege accounts.

The technical implementation of this vulnerability stems from improper input sanitization within the tp_button.php module file. Specifically, the render function processes the custom_attributes string without adequate validation or escaping mechanisms before passing it through the tp_senitize_js_input() filter. This filter, while intended to provide security protection, contains a bypassable weakness that allows malicious script code to persist in the database. The vulnerability manifests as a stored XSS attack because the malicious input is saved to the WordPress database and subsequently rendered whenever the affected page is accessed by any user, including administrators.

The operational impact of this vulnerability extends beyond simple data theft or defacement scenarios. An attacker with contributor-level access can inject malicious JavaScript code that executes in the context of other users' browsers, potentially leading to session hijacking, privilege escalation, or data exfiltration. The stored nature of the vulnerability means that even if an attacker temporarily loses access to their account, the malicious payload remains active and continues to affect visitors until manually removed from the database. This creates a persistent threat vector that can compromise multiple users over extended periods.

Security professionals should note this vulnerability aligns with CWE-79 (Cross-Site Scripting) and follows patterns commonly associated with ATT&CK technique T1566 (Phishing) and T1071.1003 (Application Layer Protocol: Web Protocols). The patch implemented in version 6.4.12 addresses this issue by strengthening input validation and ensuring that all user-provided attributes undergo proper sanitization before being stored. Organizations should immediately upgrade to the patched version, conduct thorough security audits of their WordPress installations, and monitor for any suspicious activity in user accounts with contributor privileges or higher. Additionally, implementing proper role-based access controls and regular security scanning of plugins can help prevent similar vulnerabilities from being exploited in the future.

The broader implications suggest that plugin developers must prioritize robust input validation and sanitization practices, particularly when handling user-generated content that gets rendered in web pages. The vulnerability demonstrates how seemingly minor oversights in code can create significant security risks, emphasizing the critical importance of thorough security testing and regular vulnerability assessments for all WordPress plugins and themes.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!