Description
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-10
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin fails to sanitize or escape several parameters, allowing an authenticated contributor or higher to embed arbitrary JavaScript code within its content. The injected code is stored and executed in the browser when any visitor loads the modified page, creating a stored DOM‑based XSS vector that can compromise user sessions or deliver malicious payloads.

Affected Systems

WordPress installations that have the “Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates” plugin, any release up to and including version 2.6.7.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, indicating no known active exploitation. Attackers need Contributor‑level access or higher to inject the payload via the plugin’s editor interface, and the impact manifests to any user who subsequently visits the modified page.

Generated by OpenCVE AI on June 10, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.6.8 or later, or uninstall it if it is not essential to site functionality.
  • Limit access to the plugin’s content editor to only administrators, ensuring that contributors cannot modify stored content with malicious code.
  • Deploy a Content Security Policy that disallows inline scripts and restricts script sources to trusted origins to mitigate the impact of any remaining XSS vectors.

Generated by OpenCVE AI on June 10, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-10T04:31:00.888Z

Reserved: 2025-07-31T19:16:21.041Z

Link: CVE-2025-8444

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T05:16:35.840

Modified: 2026-06-10T05:16:35.840

Link: CVE-2025-8444

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T06:30:15Z

Weaknesses