Description
The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Countdown widget of the Spexo Addons for Elementor plugin. Insufficient sanitization and escaping of user‑supplied attributes let attackers inject arbitrary JavaScript into pages. When a page containing the injected widget is viewed, the script runs in the victim’s browser, potentially disclosing sensitive information or hijacking user sessions. This flaw is classified as CWE‑79.

Affected Systems

All installations of the Spexo Addons for Elementor plugin provided by TemplatesCoderThemes, versions 1.0.23 and earlier, are affected. The plugin adds a Countdown widget to WordPress sites via Elementor. Users must verify they are running a version above 1.0.23 to be exempt.

Risk and Exploitability

The CVSS score is 6.4, indicating moderate severity. EPSS is less than 1%, suggesting low likelihood of widespread exploitation, but the flaw remains relevant for sites that provide contributor‑level access or higher. Exploitation requires an authenticated contributor or higher, who can modify widget attributes through the WordPress administration interface and thereby inject malicious scripts. Once the script is stored it is executed for any user who visits the affected page. The absence of a KEV listing does not reduce the risk for sites with the vulnerability.

Generated by OpenCVE AI on April 20, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spexo Addons for Elementor plugin to a version newer than 1.0.23, which resolves the input validation issue.
  • Remove the Countdown widget from all pages or disable it in the plugin settings to eliminate the injection vector.
  • Restrict contributor-level users from editing widgets or revoke contributor access until the update is applied.

Generated by OpenCVE AI on April 20, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25665 The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 25 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Templatescoder
Templatescoder spexo Addons For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Templatescoder
Templatescoder spexo Addons For Elementor
Wordpress
Wordpress wordpress

Mon, 25 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 24 Aug 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Spexo Addons for Elementor <= 1.0.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Templatescoder Spexo Addons For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:16.590Z

Reserved: 2025-07-25T18:44:01.165Z

Link: CVE-2025-8208

cve-icon Vulnrichment

Updated: 2025-08-25T11:30:34.937Z

cve-icon NVD

Status : Deferred

Published: 2025-08-24T06:15:31.837

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses