Description
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting allowing authenticated contributors to inject arbitrary scripts
Action: Immediate Patch
AI Analysis

Impact

The aThemes Addons for Elementor plugin suffers from insufficient sanitization and escaping in its Call To Action widget, leading to stored Cross‑Site Scripting. An authenticated contributor or higher can embed malicious scripts in widget content that will run in the browsers of any visitor to the affected page, potentially enabling session hijacking, defacement, or data theft.

Affected Systems

All WordPress sites running aThemes Addons for Elementor version 1.1.5 or earlier are affected. No specific hardware or OS requirements are mentioned; the flaw exists purely in the plugin’s PHP code that renders widget output.

Risk and Exploitability

The CVSS score of 6.4 classifies the issue as a medium‑severity vulnerability. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid contributor‑level credentials and user interaction with the vulnerable widget, making it more limited compared to publicly exploitable flaws.

Generated by OpenCVE AI on April 21, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the aThemes Addons for Elementor plugin to version 1.1.6 or later to remove the vulnerable code
  • If an update cannot be applied immediately, remove or disable the Call To Action widget for contributors, or restrict the contributor role to read‑only access so the widget cannot be modified
  • Deploy a Content Security Policy that restricts inline script execution and disallows scripts from untrusted sources as a temporary protective measure

Generated by OpenCVE AI on April 21, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
Description The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Athemes Athemes Addons For Elementor
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:22.443Z

Reserved: 2025-11-06T20:06:06.183Z

Link: CVE-2025-12837

cve-icon Vulnrichment

Updated: 2025-11-10T14:07:19.353Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T10:15:41.877

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses