CVE-2025-62923

MEDIUM
2025-10-27 [email protected]
WordPress PHP XSS
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 6.1

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Debuggers Studio Marquee Addons for Elementor marquee-addons-for-elementor allows DOM-Based XSS.This issue affects Marquee Addons for Elementor: from n/a through <= 3.8.2.

AnalysisAI

DOM-based cross-site scripting (XSS) in Marquee Addons for Elementor WordPress plugin versions through 3.8.2 allows remote attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected websites. While CVSS scores 6.1 (medium), the 0.02% EPSS percentile indicates low real-world exploitation probability despite public awareness.

Technical ContextAI

The vulnerability is a DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) affecting the Marquee Addons for Elementor WordPress plugin, a third-party widget extension for the Elementor page builder. DOM-based XSS occurs when untrusted user input is processed by client-side JavaScript without proper sanitization or encoding before being rendered into the DOM. This differs from reflected or stored XSS in that the vulnerability exists entirely in client-side code execution rather than server-side reflection or storage. Attackers can craft malicious URLs or inject payloads through page parameters that the plugin's JavaScript processes unsafely, executing arbitrary code in the victim's browser within the context of the WordPress site.

Affected ProductsAI

Marquee Addons for Elementor (marquee-addons-for-elementor) WordPress plugin, versions through 3.8.2. The plugin is distributed via the WordPress.org plugin repository and functions as an Elementor page builder extension for creating animated marquee elements. Full product identification: Debuggers Studio Marquee Addons for Elementor (vendor: Debuggers Studio, plugin slug: marquee-addons-for-elementor). Vulnerability details and advisories available at https://patchstack.com/database/Wordpress/Plugin/marquee-addons-for-elementor/vulnerability/wordpress-marquee-addons-for-elementor-plugin-3-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve (Patchstack security audit database).

RemediationAI

Update Marquee Addons for Elementor to version 3.8.3 or later, which resolves the DOM-based XSS vulnerability through proper input sanitization and output encoding. Administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Marquee Addons for Elementor, and click Update if available; WordPress will handle automated updates if automatic plugin updates are enabled. For immediate mitigation pending patching, consider disabling the Marquee Addons plugin temporarily if not actively in use, or restrict plugin functionality via user role capabilities. Website administrators should verify the plugin update via the Patchstack vulnerability database or WordPress.org plugin repository to confirm version 3.8.3+ is installed. No workaround exists for the underlying vulnerability other than patching or disabling the plugin.

Share

CVE-2025-62923 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy