cleantalk
Vulnerabilities and Security Researches

Product Filter Widget for Elementor, CVE-2026-11603

CVE, Research URL

CVE-2026-11603

Home page URL

Security reports for Product Filter Widget for Elementor

Application

Product Filter Widget for Elementor

Published on
Jun 09, 2026
Research Description
The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
Affected versions
max 1.0.6.
Status
vulnerable
Previous vulnerability researches
Responsive Accordion Slider (CVE-2026-0635) , Apr 17, 2026
Accordion Slider Lite (CVE-2024-11892) , Jan 12, 2025
Accordion Slider (CVE-2024-9582) , Oct 17, 2024
Accordion Slider (a2445cf94cd548f02bbbcd9e1cbd090255c550ed) , Jun 07, 2024
Accordion Slider (CVE-2023-40331) , Jun 10, 2024
New vulnerability
Product Filter Widget for Elementor (CVE-2026-11603) , Jun 10, 2026
Product Filter Widget for Elementor (CVE-2026-45437) , Jun 10, 2026
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms (CVE-2026-49105) , Jun 10, 2026
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms (CVE-2026-2568) , Jun 10, 2026
Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One (CVE-2026-48966) , Jun 10, 2026