Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spider Themes Spider Elements spider-elements allows Stored XSS.This issue affects Spider Elements: from n/a through <= 1.6.5.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting has been discovered in the Spider Elements add‑ons for Elementor plugin. The plugin does not properly neutralize user input that is stored for later rendering, allowing an attacker to embed malicious scripts that are then executed in the browsers of any visitor who loads the affected content.

Affected Systems

WordPress sites running Spider Themes:Spider Elements Spider Elements plugin in any release up to and including version 1.6.5 are vulnerable. The flaw can affect any site that uses the plugin on an Elementor‑based WordPress installation.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is via a stored XSS attack where an attacker submits malicious content through the plugin’s content entry interface, resulting in injected scripts that run in browsers whenever visitors view the compromised content.

Generated by OpenCVE AI on May 1, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Spider Elements plugin to a version newer than 1.6.5 to remove the XSS flaw.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to eliminate the attack surface until a patch is available.
  • As a temporary measure for sites that must continue using the vulnerable plugin, implement server‑side output sanitization by applying WordPress’s wp_kses or similar filtering to all plugin‑generated content to escape potentially malicious script tags.

Generated by OpenCVE AI on May 1, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9845 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spider Themes Spider Elements – Addons for Elementor allows Stored XSS. This issue affects Spider Elements – Addons for Elementor: from n/a through 1.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spider Themes Spider Elements – Addons for Elementor allows Stored XSS. This issue affects Spider Elements – Addons for Elementor: from n/a through 1.6.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spider Themes Spider Elements spider-elements allows Stored XSS.This issue affects Spider Elements: from n/a through <= 1.6.5.
Title WordPress Spider Elements – Addons for Elementor plugin <= 1.6.2 - Cross Site Scripting (XSS) vulnerability WordPress Spider Elements – Addons for Elementor plugin <= 1.6.5 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spider Themes Spider Elements – Addons for Elementor allows Stored XSS. This issue affects Spider Elements – Addons for Elementor: from n/a through 1.6.2.
Title WordPress Spider Elements – Addons for Elementor plugin <= 1.6.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.283Z

Reserved: 2025-04-04T10:01:19.451Z

Link: CVE-2025-32182

cve-icon Vulnrichment

Updated: 2025-04-04T18:29:44.140Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:27.623

Modified: 2026-04-23T15:28:42.723

Link: CVE-2025-32182

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:15:15Z

Weaknesses