Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons wpb-elementor-addons allows Stored XSS.This issue affects WPB Elementor Addons: from n/a through <= 1.7.
Published: 2025-09-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation in the WPBean WPB Elementor Addons plugin creates a stored XSS flaw that allows attackers to persist malicious scripts. An attacker who succeeds in injecting a payload can cause arbitrary JavaScript to run in the browsers of any visitor who loads the affected content, which could compromise the confidentiality or integrity of user interactions. Based on the vulnerability type, this may lead to client‑side compromise such as defacement or session hijacking, though the CVE does not explicitly state these outcomes.

Affected Systems

WPBean’s WPB Elementor Addons plugin is affected for all releases from an unspecified starting point through version 1.7. Users running any version up to and including 1.7 should verify the plugin version and assume the flaw is present.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1 % suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would likely need to submit data through the plugin’s content entry mechanisms; the CVE does not specify the exact exploitation path, so this is inferred from the nature of stored XSS flaws.

Generated by OpenCVE AI on April 30, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBean WPB Elementor Addons to the latest version that removes the XSS flaw.
  • If an upgrade is not immediately possible, uninstall or disable the plugin to eliminate the vulnerable code path.
  • Apply additional input filtering or a web‑application firewall rule that blocks JavaScript in the plugin’s input fields to mitigate potential injection attempts.

Generated by OpenCVE AI on April 30, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26984 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons allows Stored XSS. This issue affects WPB Elementor Addons: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons allows Stored XSS. This issue affects WPB Elementor Addons: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons wpb-elementor-addons allows Stored XSS.This issue affects WPB Elementor Addons: from n/a through <= 1.7.
Title WordPress WPB Elementor Addons Plugin <= 1.6 - Cross Site Scripting (XSS) Vulnerability WordPress WPB Elementor Addons plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpbean
Wpbean wpb Elementor Addons
Vendors & Products Wordpress
Wordpress wordpress
Wpbean
Wpbean wpb Elementor Addons

Fri, 05 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Elementor Addons allows Stored XSS. This issue affects WPB Elementor Addons: from n/a through 1.6.
Title WordPress WPB Elementor Addons Plugin <= 1.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpbean Wpb Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:44:15.157Z

Reserved: 2025-09-05T10:49:01.958Z

Link: CVE-2025-58793

cve-icon Vulnrichment

Updated: 2025-09-05T15:37:11.555Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:47.920

Modified: 2026-04-23T15:33:38.763

Link: CVE-2025-58793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:30:31Z

Weaknesses