Vulnerabilities and security researches forproduct-filter-widget-for-elementor product-filter-widget-for-elementor

Jun 07, 2024

CVE, Research URL: 89a008df4d2845c3541457069068a7cf732a0044
Home page URL: Security reports for Product Filter Widget for Elementor
Application: Product Filter Widget for Elementor
Date: Jul 19, 2023
Research Description: Product Filter Widget for Elementor [product-filter-widget-for-elementor] < 1.0.2 WordPress Product Filter Widget for Elementor Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Product Filter Widget for Elementor plugin to the latest available version. Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Product Filter Widget for Elementor Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.0.2.
Affected versions: max 1.0.2.
Status: vulnerable

Jun 10, 2026

CVE, Research URL: CVE-2026-45437
Home page URL: Security reports for Product Filter Widget for Elementor
Application: Product Filter Widget for Elementor
Date: -
Research Description: Product Filter Widget for Elementor [product-filter-widget-for-elementor] <= 1.0.6 (unfixed) CVE-2026-45437
Affected versions: max 1.0.6.
Status: vulnerable

CVE, Research URL: CVE-2026-11603
Home page URL: Security reports for Product Filter Widget for Elementor
Application: Product Filter Widget for Elementor
Date: Jun 09, 2026
Research Description: The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
Affected versions: max 1.0.6.
Status: vulnerable