📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global vulnerability Technology and Software Development HIGH 1h Global vulnerability Government and Federal Agencies CRITICAL 1h Global supply_chain Software Development and Open-Source Ecosystems HIGH 2h Global vulnerability Enterprise Software/SaaS MEDIUM 2h Global supply_chain Software Development HIGH 2h Global general Insurance/Risk Management HIGH 3h Global data_breach Enterprise Software / Information Technology CRITICAL 4h Global vulnerability Technology/Software CRITICAL 6h Global malware Social Media and Consumer Technology HIGH 6h Global botnet Information Technology and IoT HIGH 6h Global vulnerability Technology and Software Development HIGH 1h Global vulnerability Government and Federal Agencies CRITICAL 1h Global supply_chain Software Development and Open-Source Ecosystems HIGH 2h Global vulnerability Enterprise Software/SaaS MEDIUM 2h Global supply_chain Software Development HIGH 2h Global general Insurance/Risk Management HIGH 3h Global data_breach Enterprise Software / Information Technology CRITICAL 4h Global vulnerability Technology/Software CRITICAL 6h Global malware Social Media and Consumer Technology HIGH 6h Global botnet Information Technology and IoT HIGH 6h Global vulnerability Technology and Software Development HIGH 1h Global vulnerability Government and Federal Agencies CRITICAL 1h Global supply_chain Software Development and Open-Source Ecosystems HIGH 2h Global vulnerability Enterprise Software/SaaS MEDIUM 2h Global supply_chain Software Development HIGH 2h Global general Insurance/Risk Management HIGH 3h Global data_breach Enterprise Software / Information Technology CRITICAL 4h Global vulnerability Technology/Software CRITICAL 6h Global malware Social Media and Consumer Technology HIGH 6h Global botnet Information Technology and IoT HIGH 6h
Vulnerabilities

CVE-2026-9243

Medium
CWE-79 — Weakness Type
Published: May 29, 2026  ·  Modified: Jun 1, 2026  ·  Source: NVD
CVSS v3
6.4
🔗 NVD Official
📄 Description (English)

The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Plus Addons for Elementor plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the Carousel Anything widget affecting versions up to 6.4.15. Authenticated attackers with contributor-level access can inject malicious scripts through the 'carousel_direction' parameter due to improper output escaping in unquoted HTML attributes. While currently unpatched, the vulnerability requires authenticated access, limiting immediate risk but posing significant threats to WordPress sites with multiple user roles.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 10:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress with Plus Addons for Elementor face moderate risk, particularly in government digital transformation initiatives, banking sector websites, healthcare portals, and e-commerce platforms. Government agencies (under NCA oversight) and ARAMCO subsidiaries using WordPress for internal or external communications are at risk. The vulnerability primarily affects organizations with multiple contributor-level users, common in large enterprises and government entities managing content across multiple departments. Compromised sites could lead to credential theft, malware distribution, or defacement affecting public trust in Saudi digital services.
🏢 Affected Saudi Sectors
Government & Public Administration Banking & Financial Services Healthcare & Medical Services Energy & Utilities Telecommunications E-commerce & Retail Education Media & Publishing
⚖️ Saudi Risk Score (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:

1. Audit all WordPress installations using Plus Addons for Elementor plugin version 6.4.15 or earlier

2. Review user access logs for suspicious carousel widget modifications by contributor-level accounts

3. Restrict contributor-level permissions to Elementor editing until patch is available

4. Disable the Carousel Anything widget if not actively used



Compensating Controls:

1. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in carousel_direction parameters

2. Apply Content Security Policy (CSP) headers to prevent inline script execution

3. Enable WordPress security plugins with XSS detection capabilities

4. Implement strict input validation on all Elementor widget parameters at application level

5. Monitor page modifications and implement change detection alerts



Detection Rules:

1. Monitor database queries for carousel_direction parameters containing script tags or event handlers

2. Alert on any modifications to pages containing Carousel Anything widgets by contributor accounts

3. Log and review all Elementor widget configuration changes

4. Implement IDS/IPS signatures for XSS patterns in HTTP POST requests to wp-admin



Patching:

1. Contact Plus Addons developers for security patch timeline

2. Prepare upgrade plan for when patch becomes available

3. Test patch in staging environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Plus Addons for Elementor الإصدار 6.4.15 أو أقدم

2. مراجعة سجلات وصول المستخدمين للتعديلات المريبة على أداة carousel من قبل حسابات على مستوى المساهم

3. تقييد أذونات المساهمين لتحرير Elementor حتى يتوفر التصحيح

4. تعطيل أداة Carousel Anything إذا لم تكن قيد الاستخدام النشط



الضوابط التعويضية:

1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في معاملات carousel_direction

2. تطبيق رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة

3. تفعيل مكونات أمان WordPress مع قدرات الكشف عن XSS

4. تنفيذ التحقق الصارم من الإدخال على جميع معاملات أداة Elementor على مستوى التطبيق

5. مراقبة تعديلات الصفحات وتنفيذ تنبيهات الكشف عن التغييرات



قواعد الكشف:

1. مراقبة استعلامات قاعدة البيانات لمعاملات carousel_direction التي تحتوي على علامات البرامج النصية أو معالجات الأحداث

2. التنبيه على أي تعديلات على الصفحات التي تحتوي على أدوات Carousel Anything من قبل حسابات المساهمين

3. تسجيل ومراجعة جميع تغييرات إعدادات أداة Elementor

4. تنفيذ توقيعات IDS/IPS لأنماط XSS في طلبات HTTP POST إلى wp-admin



التصحيح:

1. الاتصال بمطوري Plus Addons للحصول على جدول زمني لتصحيح الأمان

2. إعداد خطة ترقية عند توفر التصحيح

3. اختبار التصحيح في بيئة التطوير قبل نشره في الإنتاج
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.6.1.1 - Information security roles and responsibilities ECC 2024 A.5.1.1 - Policies for information security
🔵 SAMA CSF
Governance & Risk Management - Third-party risk management Information & Cybersecurity - Application security and secure development Information & Cybersecurity - Vulnerability management Resilience - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security ISO 27001:2022 A.6.1 - Organization of information security ISO 27001:2022 A.8.1 - User endpoint devices ISO 27001:2022 A.14.2 - Supplier relationships ISO 27001:2022 A.14.2.5 - Information security in supplier agreements
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities PCI DSS 6.5.7 - Cross-site scripting (XSS) PCI DSS 12.3 - Establish information security policy
📊 CVSS Score
6.4
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeC — Changed
ConfidentialityL — Low / Local
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity Medium
CVSS Score6.4
CWECWE-79
EPSS0.03%
Exploit No
Patch ✗ No
Published 2026-05-29
Source Feed nvd
🇸🇦 Saudi Risk Score
5.8
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-79
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.