CVE-2026-9243 | posimyththemes The Plus Addons for Elementor Plugin up to 6.4.15 on WordPress Carousel Anything Widget carousel_direction cross site scripting (EUVD-2026-33254)

The report documents a stored XSS vulnerability (CVE-2026-9243) in The Plus Addons for Elementor up to 6.4.15: insufficient output escaping in the Carousel Anything widget allows attribute injection via the carousel_direction parameter, enabling authenticated (contributor-level or higher) attackers to inject scripts into pages; technical details were disclosed by Wordfence and João Pedro S Alcântara and no exploit is currently available.