PatchSiren

posimyththemes CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM posimyththemes CVE published 2026-07-10

CVE-2026-15285

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in versio [truncated]

MEDIUM posimyththemes CVE published 2026-07-08

CVE-2026-6740

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, wh [truncated]

MEDIUM posimyththemes CVE published 2026-05-29

CVE-2026-9243

A stored cross-site scripting (XSS) vulnerability exists in The Plus Addons for Elementor WordPress plugin, affecting versions up to and including 6.4.15. The flaw resides in the Carousel Anything widget's render() function, where the 'carousel_direction' parameter is inserted into an unquoted HTML dir= attribute. Although esc_attr() is applied, the unquoted attribute context permits attribute injection, [truncated]