PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15285 posimyththemes CVE debrief

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12. Affected product deployments should be reviewed for exposure and updated to version 6.4.12 or later.

Vendor
posimyththemes
Product
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the Plus Addons for Elementor plugin for WordPress should update to version 6.4.12 or later to address this vulnerability. This update is crucial for operators of WordPress sites that utilize the Plus Addons for Elementor, as it mitigates the risk of Authenticated (Contributor+) Stored Cross-Site Scripting attacks via the Button widget's `custom_attributes` setting. Vulnerability management teams should prioritize this update, and security teams should review compensating controls for exposed systems while remediation is scheduled and verified.

Technical summary

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable, allowing an attacker to inject malicious scripts. The issue is patched in version 6.4.12. Affected product deployments should be reviewed for exposure and updated to version 6.4.12 or later. This vulnerability requires authentication and has a CVSS score of 6.4, indicating a medium severity level.

Defensive priority

Medium priority given the CVSS score of 6.4 and the fact that the vulnerability requires authentication. Additional security measures should be implemented to prevent cross-site scripting attacks, such as reviewing and monitoring user input for the Button widget's `custom_attributes` setting and tracking exceptions and retesting remediated assets after evidence is documented. Compensating controls for exposed systems should be reviewed while remediation is scheduled and verified. Monitoring, detection, and logs for exposed assets should be checked for extra review. Asset inventory and rollback/change windows should be considered for affected systems. Source tracking should be implemented to verify affected scope and severity. Vendor guidance should be reviewed to validate affected scope and severity. Managed environments should be confirmed for affected product deployments and an owner should be assigned for follow-up. Security teams should plan vendor-supported updates or mitigations through normal change control where exposure is confirmed. Security teams should review compensating controls for exposed systems while remediation is scheduled and verified. Security teams should check relevant monitoring, detection, and logs for exposed assets that need extra review. Security teams should track exceptions, retest remediated assets, and close the item only after evidence is documented. Security teams should review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance. Security teams should confirm whether affected product deployments exist in managed environments and assign an owner for follow-up. Security teams should plan vendor-supported updates or mitigations through normal change control where exposure is confirmed. Security teams should review compensating controls for exposed systems while remediation is scheduled and verified. Security teams should check relevant monitoring, detection, and logs for exposed assets that need extra review. Security teams should track exceptions, retest remediated assets, and close the item only after evidence is documented. Security teams should review the supplied official or

Recommended defensive actions

  • Update to version 6.4.12 or later
  • Review and monitor user input for the Button widget's `custom_attributes` setting
  • Implement additional security measures to prevent cross-site scripting attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-10T05:16:31.210Z and last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:31.210Z and has not been modified since then. The NVD entry is currently Deferred.