Description
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Countdown widget of the aThemes Addons for Elementor plugin for WordPress. Insufficient input sanitization and output escaping allow an authenticated user with contributor-level or higher privileges to store malicious scripts in the widget’s attributes. When the page containing the widget is viewed, the injected scripts run with the privileges of the viewing user, potentially enabling credential theft, session hijacking, defacement, or further exploitation of the site.

Affected Systems

Vendors and products affected are aThemes Addons for Elementor, specifically all releases up to and including version 1.1.2. No other product versions are impacted according to the CNA data.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. However, because the flaw requires contributor or higher access, attackers who have gained such privileges can execute persistent cross‑site scripting. The vulnerability is not currently listed in CISA’s KEV catalog, but its potential for web‑based attacks warrants prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the aThemes Addons for Elementor plugin to version 1.1.3 or later, which contains the proper input validation and output escaping for the Countdown widget.
  • If an upgrade is not immediately possible, disable or remove the Countdown widget from all pages to eliminate the attack vector.
  • Restrict user roles to the minimum necessary permissions; consider revoking Contributor or higher roles from users who do not need them, thereby limiting the threat surface for this stored XSS.

Generated by OpenCVE AI on April 20, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27131 The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 08 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Athemes
Athemes athemes Addons For Elementor
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Mon, 08 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title aThemes Addons for Elementor Lite <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Athemes Athemes Addons For Elementor
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:56.246Z

Reserved: 2025-07-24T21:46:15.546Z

Link: CVE-2025-8149

cve-icon Vulnrichment

Updated: 2025-09-08T13:52:42.616Z

cve-icon NVD

Status : Deferred

Published: 2025-09-06T04:16:06.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses