CVE-2025-8874 in Master Addons Plugin
Summary
by MITRE • 08/12/2025
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/12/2025
The vulnerability identified as CVE-2025-8874 affects the Master Addons plugin for WordPress, a popular add-on suite that extends Elementor's functionality with white labeling capabilities, free widgets, hover effects, conditional logic, and animation features. This plugin serves as a comprehensive toolkit for WordPress developers and content creators seeking to enhance their website's visual appeal and interactive elements. The flaw exists within the plugin's handling of user input across multiple widgets, creating a persistent security risk that can be exploited by attackers with relatively low privileges. The vulnerability specifically impacts all versions up to and including 2.0.8.6, making it a widespread concern for users who have not updated to newer releases.
The technical root cause of this vulnerability lies in the plugin's insufficient input sanitization and output escaping mechanisms. When authenticated users with Contributor-level access or higher create or modify content using the affected widgets, the plugin fails to properly validate and sanitize the data entered by users. This weakness allows malicious actors to inject malicious scripts that are then stored within the WordPress database. The stored XSS vulnerability occurs because the plugin does not adequately escape output when rendering content, creating an environment where attacker-controlled scripts can be executed in the context of other users' browsers. This type of vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, and represents a classic case of improper input validation leading to persistent script injection.
The operational impact of this vulnerability is significant for WordPress sites utilizing the affected plugin, as it enables authenticated attackers to execute arbitrary web scripts in the browsers of other users who visit pages containing the injected content. This means that any user with access to the vulnerable plugin's widgets can become a vector for malicious activity, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The vulnerability is particularly concerning because it requires only Contributor-level access, which is often granted to content editors or junior staff members who may not be fully trusted within security contexts. Attackers could exploit this weakness to inject scripts that steal cookies, redirect users to phishing sites, or perform other malicious actions that compromise the integrity and security of the entire WordPress installation.
Mitigation strategies for CVE-2025-8874 should begin with immediate plugin updates to the latest available version where the vulnerability has been addressed. Users should also implement additional security measures including restricting user permissions to the minimum necessary access levels, monitoring for suspicious activity in the WordPress admin area, and implementing content security policies to reduce the impact of potential XSS attacks. The vulnerability aligns with ATT&CK technique T1566 which covers spearphishing attacks through malicious content, and represents a critical weakness in the principle of least privilege that should be addressed through proper access controls and input validation. Organizations should also consider implementing web application firewalls and regular security audits to detect and prevent similar vulnerabilities in other components of their WordPress infrastructure. Regular updates and security monitoring remain essential practices for maintaining WordPress security posture against evolving threats.