CVE-2025-48295

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hashthemes Easy Elementor Addons easy-elementor-addons allows Stored XSS.This issue affects Easy Elementor Addons: from n/a through <= 2.2.5.

AnalysisAI

Stored cross-site scripting (XSS) in Easy Elementor Addons WordPress plugin through version 2.2.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or website functionality. The vulnerability affects the plugin's web page generation process and has been confirmed by security researchers at Patchstack, though no evidence of active exploitation or public exploit code is documented.

Technical ContextAI

Easy Elementor Addons is a WordPress plugin that extends the Elementor page builder with additional functionality. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied data is improperly sanitized or escaped before being rendered in HTML output. In this case, the plugin fails to adequately neutralize malicious input during the web page generation process, allowing attackers to inject arbitrary HTML and JavaScript payloads. These payloads are then stored in the WordPress database and executed whenever the affected page is viewed, making this a stored (persistent) XSS vulnerability rather than a reflected one. The CPE for the affected product is evident from the WordPress plugin ecosystem context: the Easy Elementor Addons plugin distributed through WordPress.org.

Affected ProductsAI

hashthemes Easy Elementor Addons WordPress plugin versions from initial release through 2.2.5 inclusive are vulnerable to stored XSS. The plugin is distributed through the WordPress plugin repository and identified by the slug easy-elementor-addons. All installations running version 2.2.5 or earlier with web-facing Elementor pages are in scope.

RemediationAI

Update Easy Elementor Addons to version 2.2.6 or later immediately via the WordPress plugin dashboard (Plugins > Installed Plugins > Easy Elementor Addons > Update). If automatic updates are disabled, manually download the patched version from the WordPress plugin repository or the vendor's website. As an interim measure prior to patching, restrict user roles with page editing capabilities to trusted administrators only via WordPress user role management. Verify that any Elementor pages created during the vulnerable window have not been modified with injected content by reviewing page revisions. For details, consult the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/easy-elementor-addons/vulnerability/wordpress-easy-elementor-addons-plugin-2-2-5-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-48295 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy