Description
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Update
AI Analysis

Impact

The Master Addons – Elementor Addons plugin for WordPress contains a stored cross‑site scripting vulnerability that allows an authenticated user with Contributor-level access or higher to inject arbitrary JavaScript through the unfiltered ‘id’ parameter in several plugin components. When the data is persisted and subsequently displayed on a page, the malicious script runs under the identity of the visitor, enabling attackers to steal session data, deface content, or perform further phishing attempts against site users. The weakness arises from insufficient input sanitization and lack of output escaping, which directly maps to CWE‑79.

Affected Systems

Affected are all installations of Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits up to and including version 2.0.7.1. Users running any of these versions on WordPress should verify their installed version against the latest release.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation, and the issue is not listed in the CISA KEV catalog. Nonetheless, because the flaw requires only Contributor‑level access, sites with such roles or higher are susceptible. An attacker can exploit the stored XSS by interacting with the plugin’s UI to submit data containing malicious scripts, which will persist and execute when the infected page is rendered for any user. No additional external conditions are required beyond the authentication level.

Generated by OpenCVE AI on April 21, 2026 at 22:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Master Addons to a version newer than 2.0.7.1 before the plugin is applied to production sites
  • If an immediate update is not possible, remove Contributor or higher roles from users that will not need access to the plugin, or restrict these roles from using the plugin via role‑based access control
  • As an interim workaround, disable the plugin’s features that rely on the ‘id’ parameter or use a content filtering plugin to sanitize output from the affected components

Generated by OpenCVE AI on April 21, 2026 at 22:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7361 The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 04 Mar 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Master-addons
Master-addons master Addons
CPEs cpe:2.3:a:master-addons:master_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Master-addons
Master-addons master Addons

Tue, 04 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Master Addons <= 2.0.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Master-addons Master Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:13.900Z

Reserved: 2025-01-13T21:59:30.426Z

Link: CVE-2025-0433

cve-icon Vulnrichment

Updated: 2025-03-04T14:22:54.304Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-04T09:15:10.613

Modified: 2025-03-04T20:34:08.907

Link: CVE-2025-0433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses