Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.
Published: 2025-12-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation. It enables a DOM‑based cross‑site scripting flaw that could allow an attacker to inject and execute JavaScript code in the browsers of users who view affected content. This flaw aligns with CWE‑79 and could lead to session hijacking, data theft, defacement, or the execution of further exploits in the victim’s context.

Affected Systems

WordPress sites that have the WPDeveloper Essential Addons for Elementor plugin installed, particularly versions 6.5.3 and earlier. The plugin is available in Lite edition for WordPress and the issue is covered by the CPE identifier cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:lite:wordpress:*:*

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity with potential for high impact if exploited. The EPSS score of less than 1% indicates a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, it remains a client‑side XSS risk that can be triggered through crafted URLs or user input, making it exploitable in scenarios where the plugin's output is rendered in a vulnerable context.

Generated by OpenCVE AI on April 29, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPDeveloper Essential Addons for Elementor plugin to the latest available version, which removes the DOM‑based XSS flaw.
  • If an immediate update is not possible, configure a web application firewall or client‑side filtering to prevent user‑supplied input from being interpreted as executable script.
  • Check any custom content or shortcodes generated by the plugin and apply proper output encoding or sanitization before rendering to users.

Generated by OpenCVE AI on April 29, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:lite:wordpress:*:*

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor
Vendors & Products Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper essential Addons For Elementor

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.
Title WordPress Essential Addons for Elementor plugin <= 6.5.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpdeveloper Essential Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:42:17.147Z

Reserved: 2025-12-29T11:19:16.970Z

Link: CVE-2025-69092

cve-icon Vulnrichment

Updated: 2026-01-08T20:29:46.440Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-30T11:16:02.567

Modified: 2026-01-29T16:48:22.370

Link: CVE-2025-69092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:15:08Z

Weaknesses