Stored Cross-Site Scripting Vulnerability in Happy Addons for Elementor Plugin
CVE-2025-14635

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Happy Addons For Elementor
Vendor
CVE Published:
23 December 2025

What is CVE-2025-14635?

The Happy Addons for Elementor plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input validation and output escaping on the 'ha_page_custom_js' parameter. This flaw allows authenticated attackers with Contributor-level access and higher to inject malicious scripts into pages, which subsequently execute when other users access these compromised pages. Despite the plugin's design intention to restrict Custom JS functionality to Administrators, the vulnerability bypasses these controls, posing significant security risks to affected WordPress sites.

Affected Version(s)

Happy Addons for Elementor * <= 3.20.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/happy-elemento...
https://plugins.trac.wordpress.org/browser/happy-elemento...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
JSON
.