CVE-2025-8874 - Vulnerability Details

- Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox

Description

The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-08-12

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability enables an authenticated user with Contributor level or higher to embed JavaScript into the plugin’s widgets. The injected script is stored in the database and executed whenever a user views the affected page. This can potentially allow an attacker to steal credentials, deface content, or perform other malicious actions; these effects are inferred from typical XSS exploit scenarios. The flaw stems from insufficient input sanitization and output escaping when rendering the fancyBox widget, classified as CWE‑79.

Affected Systems

WordPress sites running the Master Addons for Elementor plugin version 2.0.8.6 or earlier are affected. It is a plugin for the WordPress CMS, named Master Addons for Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits, which is maintained by the vendor litonice13.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1 % suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. However, because the attack requires authenticated Contributor access, sites with a broad Contributor user base are at heightened risk. Exploitation is straightforward once the role is obtained, as the injected code is executed automatically when any user accesses the page containing the widget.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

litonice13

Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.9.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Master Addons to the latest plugin version that fixes the XSS issue.
If an update is not available, remove or deactivate the widgets that allow arbitrary JavaScript insertion, especially the fancyBox widget.
Limit Contributor and higher roles from accessing the plugin’s widget editing features, or disable the problematic widgets for those roles.
Conduct a full scan of the database for previously injected scripts and purge them from affected content.

Generated by OpenCVE AI on April 21, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-24226	The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/vendor/fancybox/jquery.fancybox.min.js
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338452%40master-addons&new=3338452%40master-addons&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340128%40master-addons&new=3340128%40master-addons&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/log/master-addons/
https://www.wordfence.com/threat-intel/vulnerabilities/id/44e4fb1b-eed4-4ef9-9856-7c5095117aa7?source=cve

History

Tue, 12 Aug 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 Aug 2025 06:45:00 +0000

Type	Values Removed	Values Added
Description		The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/vendor/fancybox/jquery.fancybox.min.js https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338452%40master-addons&new=3338452%40master-addons&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340128%40master-addons&new=3340128%40master-addons&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/log/master-addons/ https://www.wordfence.com/threat-intel/vulnerabilities/id/44e4fb1b-eed4-4ef9-9856-7c5095117aa7?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-08-12T06:42:41.228Z

Updated: 2026-04-08T16:49:28.128Z

Reserved: 2025-08-11T18:41:30.150Z

Link: CVE-2025-8874

Vulnrichment

Updated: 2025-08-12T20:06:01.081Z

NVD

Status : Deferred

Published: 2025-08-12T07:15:30.943

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8874

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object