Description
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows an authenticated contributor or higher to inject arbitrary scripts that execute for all page visitors, enabling potential session hijacking or data theft.
Action: Immediate Patch
AI Analysis

Impact

The Plus Addons for Elementor plugin is vulnerable to stored cross‑site scripting because the Countdown, Syntax Highlighter, and Page Scroll widgets do not properly sanitize or escape user input. This flaw, classified as CWE‑79, permits an attacker with Contributor or higher level WordPress access to embed malicious scripts that are persisted in the database and executed whenever the affected page is viewed. The consequence is arbitrary code execution in the browsers of legitimate visitors, which can lead to session hijacking, credential theft, website defacement, or the further spread of malware.

Affected Systems

The vulnerability affects all installations of posimyththemes’ The Plus Addons for Elementor plugin, versions up to and including 6.2.2. The plugin is available for free on WordPress and is used for adding Elementor‑based addons, page templates, widgets, mega menus, and WooCommerce elements.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability requires the attacker to be authenticated with at least Contributor privileges to add or edit widget content, and the malicious payload is stored and rendered with each page load. Because it is not listed in CISA’s KEV catalog, there are no known widespread attacks at present, but the potential impact remains significant due to the script execution on every visitor’s browser.

Generated by OpenCVE AI on April 20, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update The Plus Addons for Elementor to the latest version that removes the vulnerable widgets or applies the vendor’s patch.
  • If an update cannot be applied immediately, revoke Contributor role privileges or remove all pages that use the Countdown, Syntax Highlighter, and Page Scroll widgets from public view.
  • Disable or remove those widgets from the site configuration until a vendor‑issued fix is applied.

Generated by OpenCVE AI on April 20, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7383 The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 24 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Posimyth
Posimyth the Plus Addons For Elementor
CPEs cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*
Vendors & Products Posimyth
Posimyth the Plus Addons For Elementor

Tue, 11 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 08 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Posimyth The Plus Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:38.536Z

Reserved: 2025-02-13T20:28:52.148Z

Link: CVE-2025-1287

cve-icon Vulnrichment

Updated: 2025-03-10T16:57:04.452Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-08T09:15:31.590

Modified: 2025-03-24T18:19:22.993

Link: CVE-2025-1287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses