CVE-2026-9243 posimyththemes CVE debrief

Who should care

WordPress site administrators using The Plus Addons for Elementor plugin; security teams managing WordPress installations with multi-author environments; developers reviewing Elementor widget output escaping patterns

Technical summary

The Plus Addons for Elementor plugin (≤6.4.15) contains a stored XSS vulnerability in the Carousel Anything widget. The 'carousel_direction' parameter is rendered into an unquoted dir= HTML attribute via the render() function in tp_carousel_anything.php. Despite esc_attr() usage, the unquoted attribute context allows injection of additional attributes or event handlers. Authenticated attackers with contributor+ privileges can exploit this to inject persistent JavaScript that executes for other users viewing affected pages. Fixed in version 6.4.16.

Defensive priority

medium

Recommended defensive actions

• Update The Plus Addons for Elementor plugin to version 6.4.16 or later
• Review existing posts and pages for unauthorized use of the Carousel Anything widget with suspicious carousel_direction values
• Restrict contributor-level and above accounts to trusted users only
• Implement Content Security Policy (CSP) headers to mitigate impact of any stored XSS
• Consider using a Web Application Firewall (WAF) rule to detect and block suspicious attribute injection patterns in Elementor widget parameters

Evidence notes

The vulnerability is documented in the NVD record with a Deferred status. Wordfence security advisory provides the technical analysis identifying the affected file (tp_carousel_anything.php) at lines 1143 and 1187 in version 6.4.15, and the changeset showing remediation in version 6.4.16. The CWE-79 classification confirms cross-site scripting. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources