Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite allows Stored XSS.This issue affects aThemes Addons for Elementor: from n/a through <= 1.1.2.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The aThemes Addons for Elementor plugin for WordPress contains a stored cross‑site scripting flaw that allows attackers to inject persistent JavaScript into web pages that are rendered for other site visitors. The weakening of input neutralization identified as CWE‑79 means that malicious scripts can be executed when affected content is displayed in a user’s browser.

Affected Systems

The vulnerability is present in the aThemes Addons for Elementor plugin provided by Syed Balkhi. All releases through version 1.1.2 are affected. WordPress sites that have installed or are running any of these versions are directly impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, while the EPSS < 1% indicates low likelihood of exploitation. It is not listed in the CISA KEV catalog. The vulnerability is a stored XSS; the likely attack vector is via content input fields in the plugin where malicious scripts could be saved and subsequently executed in the browsers of other visitors, though this is inferred from the nature of the flaw rather than explicitly stated in the advisory.

Generated by OpenCVE AI on April 30, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the aThemes Addons for Elementor plugin to version 1.1.3 or later.
  • If the update is not feasible, disable or remove the plugin to eliminate the stored XSS vulnerability.
  • After the update or removal, inspect the site for any existing malicious payloads and clear caches and sessions to prevent continued exploitation.

Generated by OpenCVE AI on April 30, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31288 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS. This issue affects aThemes Addons for Elementor: from n/a through 1.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS. This issue affects aThemes Addons for Elementor: from n/a through 1.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite allows Stored XSS.This issue affects aThemes Addons for Elementor: from n/a through <= 1.1.2.
Title WordPress aThemes Addons for Elementor Plugin <= 1.1.3 - Cross Site Scripting (XSS) Vulnerability WordPress aThemes Addons for Elementor Plugin <= 1.1.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Balkhi aThemes Addons for Elementor allows Stored XSS. This issue affects aThemes Addons for Elementor: from n/a through 1.1.3.
Title WordPress aThemes Addons for Elementor Plugin <= 1.1.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Athemes Athemes Addons For Elementor
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.945Z

Reserved: 2025-09-25T15:20:22.597Z

Link: CVE-2025-60112

cve-icon Vulnrichment

Updated: 2025-09-26T13:13:29.118Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:37.587

Modified: 2026-04-23T15:34:14.493

Link: CVE-2025-60112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:15:29Z

Weaknesses