CVE-2025-2108 in 140+ WidgetsPlugin
Summary
by MITRE • 03/20/2025
The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2025
The vulnerability identified as CVE-2025-2108 affects the 140+ Widgets | Xpro Addons For Elementor WordPress plugin, specifically targeting versions through 1.4.6.8. This represents a critical security flaw that enables stored cross-site scripting attacks through the Site Title widget's title_tag and html_tag parameters. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by authenticated attackers.
The technical flaw manifests when authenticated users with Contributor-level permissions or higher manipulate the Site Title widget parameters. The plugin fails to properly sanitize user input before storing it in the database, allowing malicious scripts to be persisted. When other users access pages containing these injected scripts, the malicious code executes in their browsers, creating a stored XSS vector. This vulnerability operates at the application layer and can be classified under CWE-79 as improper neutralization of input during web page generation. The attack requires minimal privileges but can have significant impact due to the broad accessibility of WordPress sites.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to sensitive user data and session information. Authenticated attackers can leverage this flaw to perform actions such as stealing cookies, redirecting users to malicious sites, or executing arbitrary commands on behalf of legitimate users. The vulnerability affects all users who have access to the Elementor editor and can modify widget configurations, making it particularly dangerous in multi-user environments where contributor roles are commonly granted. This aligns with ATT&CK technique T1566.001 for credential access through social engineering and T1059.001 for command and scripting interpreter execution.
Mitigation strategies should focus on immediate patching of the affected plugin to version 1.4.6.9 or later, which addresses the input sanitization issues. Administrators should also implement strict role-based access controls, limiting contributor-level permissions to trusted individuals only. Additionally, regular security audits of WordPress plugins and themes are essential to identify similar vulnerabilities. The implementation of Content Security Policy headers can provide an additional layer of defense against XSS attacks, though this should not replace proper input validation. Organizations should also consider implementing web application firewalls to detect and block malicious script injection attempts, while maintaining comprehensive monitoring of user activities within the WordPress admin interface to identify potential exploitation attempts.