Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor. This issue affects Extensions for Elementor: from n/a through 2.0.40.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Extension for Elementor plugin fails to neutralize user supplied input before rendering it, allowing injected script to execute in the browsers of anyone who views the affected content. This cross‑site scripting flaw can lead to defacement, theft of session data, or malicious script delivery. The weakness is a classic input validation flaw classified as CWE‑79.

Affected Systems

Infected installations run the petesheppard84 Extension for Elementor plugin, versions up to and including 2.0.40. Every release from the start of the plugin’s history through 2.0.40 is impacted; the precise lower bound is not specified in the advisory.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range, while an EPSS score of less than 1% indicates a very low probability of active exploitation today. The flaw is not listed in the CISA KEV catalogue. The attack likely requires an attacker to place malicious code into a user‑controllable field of the plugin—such as a widget, form, or custom content block—and rely on arbitrary visitors to that page to trigger the script when they view the content. No advanced prerequisites are required beyond the presence of the vulnerable plugin version.

Generated by OpenCVE AI on May 1, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Extension for Elementor plugin to the latest version released by petesheppard84, which contains the XSS fix.
  • If an upgrade cannot be performed immediately, disable front‑end rendering of data supplied by the affected plugin or replace the offending widget with a static alternative. This removes the attack surface until a patch is applied.
  • Apply strict input sanitization or escaping to any content managed by the plugin, ensuring that user‑supplied data is rendered as plain text rather than executable script.

Generated by OpenCVE AI on May 1, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9436 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor. This issue affects Extensions for Elementor: from n/a through 2.0.40.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor extensions-for-elementor.This issue affects Extensions for Elementor: from n/a through <= 2.0.40. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor. This issue affects Extensions for Elementor: from n/a through 2.0.40.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor. This issue affects Extensions for Elementor: from n/a through 2.0.40. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor extensions-for-elementor.This issue affects Extensions for Elementor: from n/a through <= 2.0.40.
References

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in petesheppard84 Extensions for Elementor. This issue affects Extensions for Elementor: from n/a through 2.0.40.
Title WordPress Extensions for Elementor plugin <= 2.0.40 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.250Z

Reserved: 2025-04-01T13:21:29.404Z

Link: CVE-2025-31889

cve-icon Vulnrichment

Updated: 2025-04-02T14:04:54.318Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:53.633

Modified: 2026-04-28T19:31:23.410

Link: CVE-2025-31889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses