The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Metrics
Affected Vendors & Products
References
History
Fri, 21 Mar 2025 08:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 20 Mar 2025 07:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
Title | 140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-03-20T15:02:48.150Z
Reserved: 2025-03-07T21:07:23.239Z
Link: CVE-2025-2108

Updated: 2025-03-20T15:02:33.968Z

Status : Received
Published: 2025-03-20T07:15:38.187
Modified: 2025-03-20T07:15:38.187
Link: CVE-2025-2108

No data.