CVE-2026-5243 Overview
CVE-2026-5243 is a stored cross-site scripting (XSS) vulnerability in The Plus Addons for Elementor WordPress plugin. The flaw exists in the menu_hover_click parameter of the Navigation Menu Lite widget. All plugin versions up to and including 6.4.11 are affected. The vulnerability stems from insufficient input sanitization and output escaping, classified as [CWE-79]. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript into pages. Injected scripts execute in the browser of any visitor who loads the affected page.
Critical Impact
Authenticated contributors can store malicious JavaScript that executes against site visitors and administrators, enabling session theft, account takeover, and unauthorized actions in the WordPress admin context.
Affected Products
- The Plus Addons for Elementor plugin for WordPress, versions up to and including 6.4.11
- WordPress sites using the Navigation Menu Lite widget from this plugin
- Sites granting contributor-level access or higher to untrusted users
Discovery Timeline
- 2026-05-14 - CVE-2026-5243 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-5243
Vulnerability Analysis
The vulnerability resides in the tp_navigation_menu_lite.php module of The Plus Addons for Elementor. The Navigation Menu Lite widget accepts a menu_hover_click parameter from authenticated users. The plugin fails to sanitize this input on save and does not escape the value on output. Stored payloads persist in the page configuration and render whenever a visitor loads the affected page. Because contributor-level users can edit posts and pages containing Elementor widgets, the bar for exploitation is low on multi-author sites. Executed scripts run with the privileges of the viewing user, including administrators.
Root Cause
The root cause is missing input sanitization and missing output escaping for a widget attribute that ultimately reaches the rendered HTML. WordPress provides helpers such as sanitize_text_field(), wp_kses(), and esc_attr() to mitigate this class of issue. The vulnerable code paths did not apply these controls to the menu_hover_click parameter before storage or rendering.
Attack Vector
Exploitation requires an authenticated account with contributor privileges or above. The attacker edits a page that uses the Navigation Menu Lite widget and supplies a crafted value for menu_hover_click containing JavaScript. The payload is stored with the page content. When any user — including an administrator — views the page, the browser executes the injected script in the site's origin. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-5243
Indicators of Compromise
- Page or post records containing <script>, onerror=, onload=, or javascript: strings within Elementor widget metadata for Navigation Menu Lite.
- Outbound requests from site visitors to unfamiliar third-party domains shortly after page load.
- New or modified administrator accounts following contributor-level edits to pages using the Navigation Menu Lite widget.
Detection Strategies
- Audit the wp_postmeta table for the _elementor_data key and search for menu_hover_click values containing HTML or script syntax.
- Review the WordPress plugin version against the plugin change log to confirm sites running 6.4.11 or earlier.
- Inspect web server access logs for POST requests to admin-ajax.php or the Elementor editor endpoints originating from contributor accounts.
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) with rules that block XSS patterns in Elementor save requests.
- Monitor WordPress audit logs for content changes made by contributor-level accounts.
- Alert on Content Security Policy (CSP) violation reports indicating inline script execution on public pages.
How to Mitigate CVE-2026-5243
Immediate Actions Required
- Update The Plus Addons for Elementor plugin to version 6.4.12 or later on all WordPress installations.
- Review all pages using the Navigation Menu Lite widget for unexpected content in the menu_hover_click field.
- Rotate administrator credentials and invalidate active sessions if injected scripts were present.
Patch Information
The vendor addressed CVE-2026-5243 in version 6.4.12 of The Plus Addons for Elementor. The fix applies proper sanitization and escaping to the menu_hover_click parameter in tp_navigation_menu_lite.php. Refer to the WordPress plugin change log for the code differences between 6.4.11 and 6.4.12.
Workarounds
- Restrict contributor and author roles to trusted users until the plugin is patched.
- Disable the Navigation Menu Lite widget through Elementor role manager settings if patching is not immediately possible.
- Deploy a strict Content Security Policy (CSP) that blocks inline scripts on public-facing pages to reduce payload execution.
# Update the plugin via WP-CLI
wp plugin update the-plus-addons-for-elementor-page-builder --version=6.4.12
wp plugin list --name=the-plus-addons-for-elementor-page-builder --fields=name,version,status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
