Description
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can execute arbitrary scripts on any user who views the affected page.
Action: Patch Plugin
AI Analysis

Impact

The Exclusive Addons for Elementor plugin is vulnerable to a stored Cross‑Site Scripting flaw in the Countdown Widget. Inadequate sanitization and output escaping allow an authenticated user with Contributor privileges to inject malicious JavaScript that will run for all visitors who view a page containing the widget. This can lead to session hijacking, credential theft, or defacement.

Affected Systems

WordPress sites using the Exclusive Addons for Elementor plugin, version 2.7.9.4 or earlier. The issue affects every installation where the Countdown Widget is enabled, regardless of theme or site configuration.

Risk and Exploitability

The CVSS score is 6.4, indicating a moderate severity. The EPSS score is less than 1%, which suggests exploitation activity has not been observed on a large scale so far, and the vulnerability is not catalogued in the CISA KEV list. Attackers must have authenticated Contributor or higher access to add or edit a widget. Once the malicious script is stored, any user who accesses the affected page will execute the payload, making the risk mainly threat to all site visitors once the flaw is exploited.

Generated by OpenCVE AI on April 21, 2026 at 03:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to plugin version 2.7.10 or newer, where the input sanitization vulnerability is fixed.
  • If an update cannot be applied immediately, remove all Countdown widgets from every page or delete any content that includes injected scripts.
  • Restrict Contributor-level accounts from editing widgets or whitelist content editors until the issue is resolved.
  • Run a site-wide XSS scan to identify any residual malicious code and sanitize or delete it.

Generated by OpenCVE AI on April 21, 2026 at 03:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23784 The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 12 Aug 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:exclusiveaddons:exclusive_addons_for_elementor:*:*:*:*:free:wordpress:*:*

Wed, 06 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Devscred
Devscred exclusive Addons For Elementor
Exclusiveaddons
Exclusiveaddons exclusive Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Devscred
Devscred exclusive Addons For Elementor
Exclusiveaddons
Exclusiveaddons exclusive Addons For Elementor
Wordpress
Wordpress wordpress

Wed, 06 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Exclusive Addons for Elementor <= 2.7.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Devscred Exclusive Addons For Elementor
Exclusiveaddons Exclusive Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:38.655Z

Reserved: 2025-07-11T15:06:32.836Z

Link: CVE-2025-7498

cve-icon Vulnrichment

Updated: 2025-08-06T19:28:20.885Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-06T04:16:20.620

Modified: 2025-08-12T16:31:54.860

Link: CVE-2025-7498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses