Stored Cross-Site Scripting Vulnerability in aThemes Addons for Elementor Plugin
CVE-2025-8149
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 September 2025
What is CVE-2025-8149?
The aThemes Addons for Elementor plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability found in its Countdown widget. This issue arises from insufficient input sanitization and output escaping for user-supplied attributes. It allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages, which will execute whenever a user accesses that page. Ensuring proper security measures and timely updates is crucial to mitigating this risk.
Affected Version(s)
aThemes Addons for Elementor * <= 1.1.2