Description
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to sanitize or escape several parameters, allowing an authenticated contributor or higher to embed arbitrary JavaScript code within its content. The injected code is stored and executed in the browser when any visitor loads the modified page, creating a stored DOM‑based XSS vector that can compromise user sessions or deliver malicious payloads.

Affected Systems

WordPress installations that have the “Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates” plugin, any release up to and including version 2.6.7.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, indicating no known active exploitation. Attackers need Contributor‑level access or higher to inject the payload via the plugin’s editor interface, and the impact manifests to any user who subsequently visits the modified page.

Generated by OpenCVE AI on June 10, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.6.8 or later, or uninstall it if it is not essential to site functionality.
  • Limit access to the plugin’s content editor to only administrators, ensuring that contributors cannot modify stored content with malicious code.
  • Deploy a Content Security Policy that disallows inline scripts and restricts script sources to trusted origins to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 10, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wealcoder
Wealcoder animation Addons For Elementor – Gsap Motion Elementor Addons & Website Templates
Wordpress
Wordpress wordpress
Vendors & Products Wealcoder
Wealcoder animation Addons For Elementor – Gsap Motion Elementor Addons & Website Templates
Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wealcoder Animation Addons For Elementor – Gsap Motion Elementor Addons & Website Templates
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-10T12:47:18.216Z

Reserved: 2025-07-31T19:16:21.041Z

Link: CVE-2025-8444

cve-icon Vulnrichment

Updated: 2026-06-10T12:47:14.742Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T05:16:35.840

Modified: 2026-06-10T18:35:12.690

Link: CVE-2025-8444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')