Description
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin widget
Action: Update Plugin
AI Analysis

Impact

The Pack Elementor addon for WordPress contains a stored cross‑site scripting vulnerability in its Typing Letter widget. Because user supplied attributes are not sanitized or escaped, an authenticated attacker with contributor‑level access or higher can inject arbitrary JavaScript that is saved to the page and executed whenever any visitor loads that page. The injected script can steal credentials, deface content, or perform other malicious actions for all users who view the affected page. This is a CWE‑79 (Cross‑Site Scripting) vulnerability.

Affected Systems

The vulnerability affects the Pack Elementor addon by WebAngon. All releases up to and including version 2.1.5 are impacted.

Risk and Exploitability

The CVSS base score is 6.4, indicating a moderate severity. The EPSS score is below 1 %, implying a low probability that the flaw is being actively exploited in the wild, and it is not listed by CISA in the KEV catalog. Exploitation requires a user role of contributor or higher and insertion of malicious code through the widget interface. Once the code is stored, it is executed for every user who accesses the page, potentially leading to credential theft or defacement.

Generated by OpenCVE AI on April 20, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pack Elementor addon to the latest version that contains the patch for this stored XSS issue (CWE‑79).
  • If an upgrade cannot be performed immediately, disable or remove the Typing Letter widget to eliminate the vulnerable input path (CWE‑79).
  • Limit contributor permissions or enforce strict review processes so that only trusted users can add or edit widget content (CWE‑79).

Generated by OpenCVE AI on April 20, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31678 The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 30 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Webangon
Webangon the Pack Elementor Addons
Wordpress
Wordpress wordpress
Vendors & Products Webangon
Webangon the Pack Elementor Addons
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title The Pack Elementor addon <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typing Letter Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Webangon The Pack Elementor Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:54.971Z

Reserved: 2025-07-25T20:34:01.061Z

Link: CVE-2025-8214

cve-icon Vulnrichment

Updated: 2025-09-30T13:17:19.366Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:45.263

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses