MEDIUM
posimyththemes
CVE published 2026-05-29
CVE-2026-9243
A stored cross-site scripting (XSS) vulnerability exists in The Plus Addons for Elementor WordPress plugin, affecting versions up to and including 6.4.15. The flaw resides in the Carousel Anything widget's render() function, where the 'carousel_direction' parameter is inserted into an unquoted HTML dir= attribute. Although esc_attr() is applied, the unquoted attribute context permits attribute injection, [truncated]