Description
The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The Events Addon for Elementor plugin is vulnerable due to insufficient input sanitization and output escaping on user‑supplied attributes in its Typewriter and Countdown widgets. The flaw allows authenticated users with Contributor level or higher to inject arbitrary JavaScript that will execute on any page displaying the affected widget. This stored XSS vulnerability is classified as CWE‑79.

Affected Systems

The vulnerability affects all versions of the Events Addon for Elementor by nicheaddons up to and including 2.2.9. No specific sub‑versions are listed as outside the affected range.

Risk and Exploitability

With a CVSS score of 6.4, the threat is moderate but real. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the flaw is not yet listed in CISA's KEV catalog. The attack vector requires authenticated access with Contributor or higher privileges, meaning that roles with that level of permission should be examined before applying a temporary defense.

Generated by OpenCVE AI on April 20, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest version of Events Addon for Elementor (2.3.0 or later).
  • Reduce or remove Contributor permissions for users until the patch is deployed.
  • If upgrade is delayed, implement a web application firewall rule that blocks or sanitizes suspicious script strings from widget input fields.

Generated by OpenCVE AI on April 20, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28795 The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sun, 31 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicheaddons
Nicheaddons events Addon For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Nicheaddons
Nicheaddons events Addon For Elementor
Wordpress
Wordpress wordpress

Fri, 29 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Nicheaddons Events Addon For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:18.520Z

Reserved: 2025-07-24T21:50:42.399Z

Link: CVE-2025-8150

cve-icon Vulnrichment

Updated: 2025-08-29T16:23:18.167Z

cve-icon NVD

Status : Deferred

Published: 2025-08-29T09:15:33.277

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses