Stored Cross-Site Scripting Vulnerability in Plus Addons for Elementor by an Unknown Vendor
CVE-2025-1287
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 8 March 2025
What is CVE-2025-1287?
The Plus Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting, allowing authenticated attackers with Contributor-level access or higher to inject malicious scripts into pages. This occurs through the Countdown, Syntax Highlighter, and Page Scroll widgets due to a lack of proper input sanitization and output escaping. When a user accesses a page containing these injected scripts, the code executes, potentially compromising users' data and site integrity.
Affected Version(s)
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce * <= 6.2.2