The Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce
Approved changes feed: RSS · Atom
cpe:2.3:a:posimyththemes:the_plus_addons_for_elementor_–_addons_for_elementor,_page_templates,_widgets,_mega_menu,_woocommerce:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Posimyththemes (ecef35c2-ac01-58ae-93aa-049eec190067) |
|---|---|
| Product | The Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce (3895b316-131a-5deb-bb28-c131b35dbb8b) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-9243 |
vulnerable | 2026-06-08 08:08:58.877010 |
The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter
MEDIUM (6.4)
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-29T06:43:41.113Z
Updated: 2026-05-29T10:06:02.975Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-5243 |
vulnerable | 2026-06-08 08:07:03.441665 |
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget
MEDIUM (6.4)
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to stored cross-site scripting via the `menu_hover_click` parameter of the Navigation Menu Lite widget in all versions up to, and including, 6.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-14T05:30:27.508Z
Updated: 2026-05-14T10:47:13.936Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3311 |
vulnerable | 2026-06-08 08:01:18.372919 |
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar
MEDIUM (6.4)
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08T05:28:59.702Z
Updated: 2026-04-08T17:55:51.767Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2386 |
vulnerable | 2026-06-08 07:55:16.991313 |
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'
MEDIUM (4.3)
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.
Published: 2026-02-18T12:28:34.722Z
Updated: 2026-04-08T16:52:08.178Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-2385 |
vulnerable | 2026-06-08 07:55:16.990745 |
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email Relay
MEDIUM (5.3)
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.
Published: 2026-02-22T08:24:44.635Z
Updated: 2026-04-08T17:09:16.352Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-7646 |
vulnerable | 2026-06-08 07:45:17.857026 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1287 |
vulnerable | 2026-06-08 07:08:36.247811 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8913 |
vulnerable | 2026-06-08 07:00:26.014712 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-6575 |
vulnerable | 2026-06-08 06:58:19.923284 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5763 |
vulnerable | 2026-06-08 06:56:17.297096 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-5583 |
vulnerable | 2026-06-08 06:56:16.614725 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4983 |
vulnerable | 2026-06-08 06:52:08.693542 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4485 |
vulnerable | 2026-06-08 06:50:17.845959 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4484 |
vulnerable | 2026-06-08 06:50:17.845566 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-4482 |
vulnerable | 2026-06-08 06:50:17.841647 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3718 |
vulnerable | 2026-06-08 06:43:51.273518 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3199 |
vulnerable | 2026-06-08 06:41:52.676667 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-3197 |
vulnerable | 2026-06-08 06:41:52.673468 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2785 |
vulnerable | 2026-06-08 06:35:27.345281 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2784 |
vulnerable | 2026-06-08 06:35:27.342769 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2210 |
vulnerable | 2026-06-08 06:33:30.622089 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-2203 |
vulnerable | 2026-06-08 06:33:30.574041 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-1419 |
vulnerable | 2026-06-08 06:25:40.038083 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-11829 |
vulnerable | 2026-06-08 06:23:50.470176 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-10365 |
vulnerable | 2026-06-08 06:22:04.060839 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-0445 |
vulnerable | 2026-06-08 06:22:01.083852 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4332 |
vulnerable | 2026-06-08 05:38:09.198244 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4331 |
vulnerable | 2026-06-08 05:38:09.194517 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.