Description
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The Plus Addons for Elementor plugin contains a stored cross‑site scripting flaw that enables an authenticated user with a Contributor role or higher to inject arbitrary JavaScript through the custom script parameter in all versions up to 6.3.10, even when the unfiltered_html capability is disabled. An attacker who can write or edit content can embed malicious code that will execute whenever any visitor views the affected page, potentially compromising user sessions and data.

Affected Systems

The vulnerability affects all WordPress sites running the Plus Addons for Elementor plugin from its initial release through version 6.3.10, issued by the vendor Posimyththemes. The flaw is present in the core widget code and page template configuration. Site administrators must check any installation that uses this plugin version and be aware that any user with Contributor or higher permissions is a threat actor.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of < 1% suggests a low probability of exploitation under normal circumstances. However, the flaw can be exploited by anyone who can add or edit Elementor content, and the attack does not require unauthenticated access. Because the vulnerability is stored, it affects all visitors who load the compromised page. The bug is not currently listed in the CISA KEV catalog, but site owners are advised to monitor threat feeds for emerging exploitation activity.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade The Plus Addons for Elementor to version 6.3.11 or later, which removes the unsafe custom script parameter.
  • Immediately disable or delete any custom script settings added by contributors until a patch is applied.
  • Review user roles and remove Contributor or higher permissions from non‑trusted users, or use a role‑management tool to strip the capability that allows storing custom scripts.
  • Configure a web application firewall or content filtering plugin to block injected script tags in Elementor content.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23345 The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 01 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 01 Aug 2025 07:00:00 +0000

Type Values Removed Values Added
Description The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:40.200Z

Reserved: 2025-07-14T16:25:15.476Z

Link: CVE-2025-7646

cve-icon Vulnrichment

Updated: 2025-08-01T13:12:55.913Z

cve-icon NVD

Status : Deferred

Published: 2025-08-01T07:15:32.990

Modified: 2026-06-17T10:05:24.293

Link: CVE-2025-7646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')