Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPelite HMH Footer Builder For Elementor hmh-footer-builder-for-elementor allows Stored XSS.This issue affects HMH Footer Builder For Elementor: from n/a through <= 1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the WPelite HMH Footer Builder For Elementor plugin allows attackers to embed malicious scripts that are stored and executed during page rendering. A successful exploitation can lead to session hijacking, cookie theft, defacement, or other client‑side attacks, as the weakness is a classic case of CWE‑79.

Affected Systems

Any WordPress installation that includes the HMH Footer Builder For Elementor plugin of version 1.0 or older is affected. No specific WordPress core version is mentioned, so the entire set of sites using that plugin fall under risk.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is moderate in severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and it is not listed in the CISA KEV catalogue. The attack likely requires an authenticated user with editor access to inject the malicious code, which then persists and runs for all site visitors.

Generated by OpenCVE AI on May 1, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the HMH Footer Builder For Elementor plugin to a firmware version that removes the stored XSS flaw
  • If no update is available, disable or uninstall the plugin to eliminate the attack surface
  • Restrict Elementor editor access to trusted administrators to reduce the chance of malicious script injection
  • Audit existing footer content for injected scripts and cleanse any found artifacts

Generated by OpenCVE AI on May 1, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9274 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPelite HMH Footer Builder For Elementor allows Stored XSS. This issue affects HMH Footer Builder For Elementor: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPelite HMH Footer Builder For Elementor allows Stored XSS. This issue affects HMH Footer Builder For Elementor: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPelite HMH Footer Builder For Elementor hmh-footer-builder-for-elementor allows Stored XSS.This issue affects HMH Footer Builder For Elementor: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 02 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPelite HMH Footer Builder For Elementor allows Stored XSS. This issue affects HMH Footer Builder For Elementor: from n/a through 1.0.
Title WordPress HMH Footer Builder For Elementor plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:11.619Z

Reserved: 2025-04-01T13:19:14.437Z

Link: CVE-2025-31749

cve-icon Vulnrichment

Updated: 2025-04-02T15:35:09.678Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:11.237

Modified: 2026-04-23T15:28:12.560

Link: CVE-2025-31749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')