Description
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The Premium Addons for Elementor plugin for WordPress allows an attacker who can authenticate with Contributor or higher privileges to inject arbitrary JavaScript into the data‑countdown attribute of the Countdown widget. Because the attribute is not properly sanitized or escaped, the malicious script is stored in the post content and rendered into the page. When any visitor loads that page, the script executes in their browser, allowing the attacker to run code in the context of the site for all users who view the affected page.

Affected Systems

Every instance of the Leap13 Premium Addons for Elementor plugin for WordPress with a version of 4.11.8 or earlier is affected. Updating to any later release eliminates the vulnerability.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1 %, showing that wide‑scale exploitation is unlikely. It is not listed in the CISA KEV catalog. Exploitation requires authentication as a Contributor or higher and occurs through the authoring interface where a user can edit widget attributes. Once the malicious data‑countdown value is stored, it will run for every visitor to the page.

Generated by OpenCVE AI on April 28, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Premium Addons for Elementor to a version newer than 4.11.8 to eliminate the vulnerability.
  • If an upgrade is not immediately possible, remove or disable the Countdown widget from all pages and sanitize any existing data‑countdown attributes to ensure they contain only numeric values.
  • Restrict Contributor permissions to prevent unauthorized editing of widget attributes, or remove Contributor access if not required.

Generated by OpenCVE AI on April 28, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17660 The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 16 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Leap13
Leap13 premium Addons For Elementor
CPEs cpe:2.3:a:leap13:premium_addons_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Leap13
Leap13 premium Addons For Elementor

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00037}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Premium Addons for Elementor <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Leap13 Premium Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:40.503Z

Reserved: 2025-05-15T13:39:53.432Z

Link: CVE-2025-4774

cve-icon Vulnrichment

Updated: 2025-06-10T14:03:11.739Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-10T12:15:24.917

Modified: 2025-07-16T16:24:29.390

Link: CVE-2025-4774

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:15:26Z

Weaknesses