Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows attackers to store malicious JavaScript in the website. Stored XSS can execute arbitrary scripts in the browsers of visitors or administrators, enabling actions such as data theft, cookie hijacking, defacement, or turning the site into a delivery vector for further malware. The weakness is classified as CWE‑79.

Affected Systems

The flaw affects the WordPress plugin Liton Arefin Master Addons for Elementor, specifically all releases up to and including version 2.0.9.9.4. The plugin is used within the WordPress ecosystem to extend Elementor with additional modules.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is below 1 %, suggesting that widespread exploitation is not currently common, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the plugin’s configuration interfaces that store user‑supplied values; any authenticated or unauthenticated user who can submit those settings can inject JavaScript that will later be rendered to visitors. Exploitation does not require specialized privileges beyond the ability to submit configuration data, and the stored payload persists until the values are updated or the plugin is removed.

Generated by OpenCVE AI on April 29, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Master Addons for Elementor to a version above 2.0.9.9.4 as soon as possible.
  • If an immediate upgrade cannot be performed, restrict usage of the affected addon features to trusted administrators and consider disabling them temporarily.
  • Verify that no malicious scripts remain in the database or theme files, and scan the site for injected XSS payloads.

Generated by OpenCVE AI on April 29, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.
Title WordPress Master Addons for Elementor plugin <= 2.0.9.9 - Cross Site Scripting (XSS) vulnerability WordPress Master Addons for Elementor plugin <= 2.0.9.9.4 - Cross Site Scripting (XSS) vulnerability

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Liton Arefin
Liton Arefin master Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Liton Arefin
Liton Arefin master Addons For Elementor
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.
Title WordPress Master Addons for Elementor plugin <= 2.0.9.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Elementor Elementor
Liton Arefin Master Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:35:51.789Z

Reserved: 2025-10-24T14:26:32.477Z

Link: CVE-2025-63055

cve-icon Vulnrichment

Updated: 2025-12-09T16:58:28.607Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:10.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-63055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses