PatchSiren cyber security CVE debrief
CVE-2026-11603 brthumar1959 CVE debrief
The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'args[filterFormArray]' parameter in all versions up to, and including, 1.0.6. This vulnerability is due to insufficient input sanitization and output escaping. An unauthenticated attacker can inject arbitrary web scripts into pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
- Vendor
- brthumar1959
- Product
- Product Filter Widget for Elementor
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of the Product Filter Widget for Elementor plugin for WordPress, particularly those with versions up to and including 1.0.6, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. It allows for Reflected Cross-Site Scripting (XSS) attacks, which can lead to unauthorized actions on behalf of the user.
Defensive priority
High
Recommended defensive actions
- Update the Product Filter Widget for Elementor plugin to a version that fixes this vulnerability.
- Implement additional security measures such as input validation and output encoding to prevent similar vulnerabilities.
- Educate users about the risks of clicking on suspicious links and the importance of verifying the authenticity of requests.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about this vulnerability. Additional references can be found at [ref-4] and [ref-5].
Official resources
CVE-2026-11603 was published on 2026-06-09T05:16:30.090Z and modified on 2026-06-09T13:33:34.393Z.