Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.1.
Published: 2025-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation that permits stored cross‑site scripting in the Themesflat Addons for Elementor plugin. Because malicious scripts are persisted in the plugin’s stored content, they are executed in the browsers of any visitor who loads affected pages, potentially enabling defacement, cookie theft, session hijacking, or phishing attacks. The weakness is a classic input‑validation flaw identified as CWE‑79.

Affected Systems

Affected systems are WordPress installations that have the Themesflat Addons for Elementor plugin of any version through 2.3.1, inclusive. The vulnerability applies to all versions released from the plugin’s inception up to and including 2.3.1.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% denotes a very low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw via user‑controlled input stored by the plugin, which is then rendered on site pages accessible to all visitors. Successful exploitation requires the plugin to be installed and active on a WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Themesflat Addons for Elementor plugin to the latest version (2.3.2 or newer).
  • If the plugin is not required, uninstall or disable it entirely to eliminate the attack surface.
  • Verify that any custom content entered into the plugin is sanitized or escape user input before storage to prevent future XSS issues.

Generated by OpenCVE AI on May 1, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8816 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat Themesflat Addons For Elementor allows Stored XSS. This issue affects Themesflat Addons For Elementor: from n/a through 2.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat Themesflat Addons For Elementor allows Stored XSS. This issue affects Themesflat Addons For Elementor: from n/a through 2.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.1.
Title WordPress Themesflat Addons For Elementor plugin <= 2.2.5 - Cross Site Scripting (XSS) vulnerability WordPress Themesflat Addons For Elementor plugin <= 2.3.1 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat Themesflat Addons For Elementor allows Stored XSS. This issue affects Themesflat Addons For Elementor: from n/a through 2.2.5.
Title WordPress Themesflat Addons For Elementor plugin <= 2.2.5 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:09.091Z

Reserved: 2025-03-31T10:05:43.538Z

Link: CVE-2025-31567

cve-icon Vulnrichment

Updated: 2025-03-31T13:54:45.664Z

cve-icon NVD

Status : Deferred

Published: 2025-03-31T13:15:50.227

Modified: 2026-04-23T15:27:58.797

Link: CVE-2025-31567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T03:15:07Z

Weaknesses