CVE-2025-7646 in Plus Addons for Elementor Plugin
Summary
by MITRE • 08/01/2025
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/01/2025
The vulnerability identified as CVE-2025-7646 affects the Plus Addons for Elementor plugin, a popular WordPress extension that provides additional functionality including page templates, widgets, and WooCommerce integration. This plugin is widely used across WordPress installations, making the vulnerability particularly concerning from a security perspective. The issue manifests as a stored cross-site scripting vulnerability that exists within the plugin's handling of custom script parameters, specifically impacting versions up to and including 6.3.10. The vulnerability's severity is amplified by the fact that it can be exploited by users with Contributor-level access or higher, which represents a relatively low privilege threshold for exploitation within WordPress's capability system.
The technical flaw resides in the plugin's insufficient input validation and output sanitization mechanisms for the custom script parameter field. When administrators or contributors with appropriate permissions enter malicious script content into this parameter, the plugin fails to properly sanitize or escape the input before storing it in the database. This stored malicious content then executes whenever any user accesses a page that contains the injected script, creating a persistent XSS vector. The vulnerability is particularly dangerous because it does not require the unfiltered_html capability, which is typically needed for more advanced XSS attacks, making it accessible to users with minimal privileges. This flaw directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), which is a fundamental web application security weakness.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious sites. Since the vulnerability affects pages that are accessed by various users, the potential attack surface is broad and can compromise multiple users within the WordPress environment. The stored nature of the vulnerability means that the malicious scripts remain persistent even after the initial injection, continuously affecting users who access the compromised pages. This characteristic aligns with ATT&CK technique T1566.001: Phishing: Spearphishing Attachment, where attackers can use the compromised environment to deliver malicious payloads to unsuspecting users. The vulnerability particularly affects WordPress sites where contributors or higher-level users have access to the plugin's configuration interfaces, making it a significant concern for sites with multiple user roles and collaborative editing environments.
Organizations should immediately update to the latest version of the Plus Addons for Elementor plugin to remediate this vulnerability, as no patch was available for versions prior to the fix. Administrators should also implement additional monitoring of user activities within the WordPress environment, particularly around plugin configuration changes and content modifications. Access controls should be reviewed to limit the number of users with Contributor-level access or higher, and security audits should be conducted to identify any previously injected malicious scripts. The vulnerability demonstrates the importance of proper input validation and output escaping in web applications, as outlined in OWASP Top 10 2021 Category A03: Injection, which emphasizes the need for robust sanitization mechanisms to prevent malicious code execution. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection against XSS attacks by restricting the sources from which scripts can be loaded, though this should be considered a mitigation rather than a complete solution to the underlying vulnerability.