Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite ultraaddons-elementor-lite allows Stored XSS.This issue affects UltraAddons Elementor Lite: from n/a through <= 2.0.2.
Published: 2025-05-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored within the UltraAddons Elementor Lite plugin. By exploiting this stored XSS flaw, an attacker can execute arbitrary client‑side code in the context of the victim’s browser, potentially leading to defacement, phishing payload delivery, or credential theft. The weakness is a classic input validation flaw identified as CWE‑79.

Affected Systems

The issue affects the WordPress UltraAddons Elementor Lite plugin from its earliest version up to and including 2.0.2, developed by Saiful Islam. Any WordPress site that has installed this plugin with a version 2.0.2 or older is vulnerable; newer releases are not affected.

Risk and Exploitability

The CVSS base score is 6.5, indicating a medium severity vulnerability. The EPSS score is less than 1%, suggesting a low likelihood of exploitation at this time and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would likely occur through an attacker creating or editing content within the plugin’s interface, embedding a malicious script that is later served to site visitors. The attack vector is local to the site admin interface and requires the victim to view a page containing the stored payload.

Generated by OpenCVE AI on May 1, 2026 at 08:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update UltraAddons Elementor Lite to the latest available version, which is greater than 2.0.2 and eliminates the stored XSS vulnerability.
  • If upgrading is not immediately possible, remove any user‑generated content within the plugin that could contain malicious scripts and regenerate affected pages to strip them.
  • Alternatively, disable or uninstall the plugin until a patch is released to prevent exploitation.

Generated by OpenCVE AI on May 1, 2026 at 08:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15517 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite ultraaddons-elementor-lite allows Stored XSS.This issue affects UltraAddons Elementor Lite: from n/a through <= 2.0.2.
Title WordPress UltraAddons Elementor Lite <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability WordPress UltraAddons Elementor Lite plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saiful Islam UltraAddons Elementor Lite allows Stored XSS. This issue affects UltraAddons Elementor Lite: from n/a through 2.0.0.
Title WordPress UltraAddons Elementor Lite <= 2.0.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.156Z

Reserved: 2025-05-15T18:01:28.792Z

Link: CVE-2025-48131

cve-icon Vulnrichment

Updated: 2025-05-16T16:42:15.368Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:44.780

Modified: 2026-04-23T15:30:51.210

Link: CVE-2025-48131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')