Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.
Published: 2025-12-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Cross‑Site Scripting (DOM‑Based XSS)
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of input during web page generation allows DOM‑based cross‑site scripting in the WPZOOM Addons for Elementor plugin. An attacker could inject malicious JavaScript into a page that users load, leading to data theft, cookie hijacking, defacement or execution of arbitrary code within the context of the site. The flaw is classified as CWE‑79 and provides a moderate severity risk of 6.5 on the CVSS scale.

Affected Systems

The vulnerability affects WordPress sites that have the WPZOOM Addons for Elementor plugin installed in any version from its initial release through 1.2.10 inclusive. Any instance of the plugin within that version range is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, while the EPSS score of less than 1% suggests a currently low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Likely attack vectors involve user‑visible parameters or content entered through the plugin’s UI that is rendered via the browser’s DOM, enabling an unauthenticated attacker to supply crafted input to trigger the XSS.

Generated by OpenCVE AI on April 27, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPZOOM Addons for Elementor to a release newer than 1.2.10 to apply the vendor patch for the XSS flaw.
  • If an immediate update is not feasible, temporarily disable the plugin or remove any content that could be used to inject malicious JavaScript.
  • Configure a web application firewall or security plugin to monitor and block execution of unexpected JavaScript payloads on the site.

Generated by OpenCVE AI on April 27, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wpzoom
Wpzoom wpzoom Addons For Elementor

Tue, 16 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.
Title WordPress WPZOOM Addons for Elementor plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpzoom Wpzoom Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:28:19.903Z

Reserved: 2025-12-15T10:00:16.552Z

Link: CVE-2025-67951

cve-icon Vulnrichment

Updated: 2025-12-16T15:36:05.613Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:59.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses