Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Stored XSS.This issue affects Anant Addons for Elementor: from n/a through <= 1.2.8.
Published: 2025-06-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An aberrant input handling flaw in the Anant Addons for Elementor plugin allows stored cross‑site scripting. The plugin fails to neutralize malicious scripts that are accepted during content creation, which are later rendered to any visitor of the site. Attackers can inject arbitrary JavaScript that executes in the browsers of all users who view affected content, enabling theft of credentials, session hijacking, defacement, or distribution of malware.

Affected Systems

WordPress sites that run the Anant Addons for Elementor plugin with a version equal to or older than 1.2.8 are impacted. Site administrators should verify the installed plugin version and upgrade if necessary. The vulnerability applies to all installations where the plugin is active and allows user submissions or content editing without proper sanitization.

Risk and Exploitability

The CVSS base score of 6.5 classifies this as a medium severity vulnerability. The EPSS score of less than 1% indicates a very low probability that an exploit is actively used in the wild at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to craft a payload that the plugin will store, and then convince a user to view that content. Because the script runs in the context of the site, an attacker with any user role that can add or edit content could test the payload before it affects the wider audience.

Generated by OpenCVE AI on April 30, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anant Addons for Elementor plugin to a version newer than 1.2.8, which contains the XSS fix.
  • If an upgrade is not yet available or immediate, disable the plugin or delete it to prevent further stored script injection.
  • Verify that any custom content added through the plugin has been sanitized, and consider implementing additional input validation or output encoding (e.g., wp_kses) for any remaining fields.

Generated by OpenCVE AI on April 30, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28363 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor allows Stored XSS. This issue affects Anant Addons for Elementor: from n/a through 1.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor allows Stored XSS. This issue affects Anant Addons for Elementor: from n/a through 1.2.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor anant-addons-for-elementor allows Stored XSS.This issue affects Anant Addons for Elementor: from n/a through <= 1.2.8.
Title WordPress Anant Addons for Elementor plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability WordPress Anant Addons for Elementor plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 23 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anantaddons Anant Addons for Elementor allows Stored XSS. This issue affects Anant Addons for Elementor: from n/a through 1.2.0.
Title WordPress Anant Addons for Elementor plugin <= 1.2.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.922Z

Reserved: 2025-06-11T16:08:41.943Z

Link: CVE-2025-50038

cve-icon Vulnrichment

Updated: 2025-06-23T16:12:15.722Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:30.130

Modified: 2026-04-23T15:32:01.617

Link: CVE-2025-50038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')