Description
The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

A stored cross‑site scripting flaw was discovered in Element Pack, a WordPress addon for Elementor. The flaw is triggered by the marker_content field of the Open Street Map widget. Input is not properly sanitized or escaped, allowing an attacker to save malicious script payloads. Once a page containing the injected content is viewed, the script executes in the visitor’s browser, potentially stealing session cookies, defacing content, or performing other client‑side attacks. This weakness is classified as CWE‑79.

Affected Systems

Versions of bdthemes’ Element Pack – Widgets, Templates & Addons for Elementor up to and including 8.1.5, both the Lite and full builds, are vulnerable. The plugin is installed on WordPress sites and can be upgraded beyond 8.1.5 to remove the flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, indicating moderate impact. The EPSS score of less than 1 % suggests a low likelihood of widespread exploitation at present. It is not listed in the CISA KEV catalog. Attackers must be authenticated to the WordPress admin interface with a contributor or higher role, so the prerequisite is user credentials. From there, they can enter and save malicious marker content, which is then rendered for all users who view the affected page. This inferred attack vector requires that the attacker can add or edit the Open Street Map widget—an action typically restricted to higher‑privileged contributors.

Generated by OpenCVE AI on April 21, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Element Pack to version 8.1.6 or later to apply the security fix.
  • If an immediate upgrade is not possible, revoke contributor permissions from the Open Street Map widget or whitelist only trusted authors.
  • Remove the Element Pack plugin entirely if it is not required for site functionality.

Generated by OpenCVE AI on April 21, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23785 The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 13 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bdthemes:element_pack:*:*:*:*:lite:wordpress:*:*

Wed, 06 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes element Pack
Element Pack Elementor Addons Wordpress
Element Pack Elementor Addons Wordpress element Pack Elementor Addons Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes element Pack
Element Pack Elementor Addons Wordpress
Element Pack Elementor Addons Wordpress element Pack Elementor Addons Wordpress
Wordpress
Wordpress wordpress

Wed, 06 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Bdthemes Element Pack
Element Pack Elementor Addons Wordpress Element Pack Elementor Addons Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:11.047Z

Reserved: 2025-07-23T19:32:10.514Z

Link: CVE-2025-8100

cve-icon Vulnrichment

Updated: 2025-08-06T19:27:43.931Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-06T04:16:20.830

Modified: 2025-08-13T18:27:30.280

Link: CVE-2025-8100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses