The Product Filter Widget for Elementor plugin for WordPress suffers from a reflected cross-site scripting vulnerability due to improper neutralization of input during web page generation (CWE-79). Specifically, the 'args[filterFormArray]' parameter is not properly sanitized or escaped in all versions up to 1.0.6. The vulnerable AJAX endpoint is registered without nonce verification or capability checks, allowing unauthenticated attackers to craft malicious requests that execute arbitrary JavaScript in the context of a victim's browser. Exploitation requires social engineering to trick users into visiting attacker-controlled pages that trigger a CSRF-style form submission to the admin-ajax.php endpoint. This vulnerability can lead to limited confidentiality and integrity impacts but does not affect availability. No known exploits are reported in the wild, and no official fix or patch has been disclosed.

Successful exploitation allows an attacker to execute arbitrary scripts in the context of a victim's browser session, potentially leading to information disclosure or manipulation of web content. The vulnerability affects confidentiality and integrity but does not impact system availability. Since the endpoint lacks nonce verification and capability checks, unauthenticated attackers can exploit it via social engineering. However, no known exploits have been observed in the wild to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling the vulnerable plugin or restricting access to the affected AJAX endpoint if possible. Additionally, educating users to avoid clicking on suspicious links can reduce the risk of exploitation. Monitor vendor channels for updates regarding patches or official mitigations.