Description
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget's custom attributes handling and the Image Masking module's element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated contributors to inject scripts
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Essential Addons for Elementor plugin, specifically within the Event Calendar widget and the Image Masking module. Insufficient input sanitization and output escaping allow an authenticated user with Contributor level or higher privileges to inject malicious JavaScript that will run in the browser of anyone who views the affected page. The entry states that injected scripts execute whenever a user accesses an injected page, indicating that the payload could exfiltrate credentials, deface content, or perform actions on behalf of the user.

Affected Systems

WordPress sites running the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin (vendor wpdevteam) are affected. All releases up to and including version 6.5.3 contain the flaw. Users who have installed these versions should verify their plugin version and update if necessary.

Risk and Exploitability

The CVSS score of 6.4 classifies the risk as moderate, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild; however, because this flaw requires only Contributor‑level access, it is relatively easy to obtain within many sites. The vulnerability is not listed in CISA KEV, but should still be addressed promptly. Attackers would typically authenticate through the WordPress dashboard and insert malicious payloads via the Event Calendar or Image Masking editors. Successful exploitation would impact the confidentiality, integrity, and availability of the site to all authenticated and unauthenticated users who view the compromised content.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Essential Addons for Elementor to the latest release, which removes the stored XSS vulnerability.
  • If an upgrade cannot be performed immediately, deny Contributor or higher roles from the Event Calendar and Image Masking interfaces, or otherwise limit those users’ ability to edit those components.
  • Audit content created by contributors for injected scripts and cleanse any identified content, then use a content sanitization plugin or enforce stricter input validation on future submissions.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor
Vendors & Products Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam essential Addons For Elementor

Wed, 17 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget's custom attributes handling and the Image Masking module's element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Wordpress Wordpress
Wpdevteam Essential Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:17.779Z

Reserved: 2025-12-03T16:52:26.486Z

Link: CVE-2025-13977

cve-icon Vulnrichment

Updated: 2025-12-17T21:27:47.391Z

cve-icon NVD

Status : Deferred

Published: 2025-12-17T04:15:44.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses