Description
The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-06
Score: 5.4 Medium
EPSS: 3.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated WordPress user with contributor-level access to inject arbitrary scripts into the ‘marker_content’ field of the Open Street Map widget in Element Pack. The plugin fails to sanitize or escape this input, storing the payload in the database. When a page containing the malicious marker is viewed, the script runs in the visitor’s browser, enabling cookie theft, session hijacking, defacement or other client‑side attacks. The weakness is classified as CWE‑79.

Affected Systems

Vulnerable versions of bdthemes Element Pack – Widgets, Templates & Addons for Elementor Lite, up to and including 8.1.5, are affected. The plugin is deployed on WordPress sites that use this component.

Risk and Exploitability

The CVSS score of 5.4 reflects moderate severity. The EPSS score of 3 % indicates a low probability of exploitation in the short term. This issue is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress admin interface with at least contributor privileges to add or edit the Open Street Map widget. After saving malicious marker content, all users who view the page are exposed to the injected script. The described attack vector requires legitimate WordPress access and is therefore limited to users with sufficient editorial rights.

Generated by OpenCVE AI on June 18, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Element Pack to version 8.1.6 or later to apply the security fix.
  • If an upgrade cannot be performed immediately, restrict contributor access to the Open Street Map widget or limit editing to trusted authors.
  • If the plugin is not required for site functionality, consider removing Element Pack entirely to eliminate the vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23785 The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 13 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bdthemes:element_pack:*:*:*:*:lite:wordpress:*:*

Wed, 06 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 06 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Bdthemes
Bdthemes element Pack
Element Pack Elementor Addons Wordpress
Element Pack Elementor Addons Wordpress element Pack Elementor Addons Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Bdthemes
Bdthemes element Pack
Element Pack Elementor Addons Wordpress
Element Pack Elementor Addons Wordpress element Pack Elementor Addons Wordpress
Wordpress
Wordpress wordpress

Wed, 06 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Bdthemes Element Pack
Element Pack Elementor Addons Wordpress Element Pack Elementor Addons Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:11.047Z

Reserved: 2025-07-23T19:32:10.514Z

Link: CVE-2025-8100

cve-icon Vulnrichment

Updated: 2025-08-06T19:27:43.931Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-06T04:16:20.830

Modified: 2026-06-17T10:06:18.407

Link: CVE-2025-8100

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')