EUVD-2025-209215
GHSA-6pg6-wx4c-whr2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Analysis
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.
Technical Context
This vulnerability exploits inadequate input validation and output encoding in WordPress plugin development. The Pricing Widget's 'onClick Event' parameter accepts user input without proper sanitization before storage in the WordPress database, and fails to escape the output when rendering the parameter on the frontend. This violates the WordPress security principle of validating input and escaping output (VIPV). The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common weakness in dynamic web applications where user-controllable data reaches an HTML or JavaScript context without sanitization. The vulnerability affects the Xpro Addons plugin across all versions up to 1.4.20, as identified by the CPE cpe:2.3:a:xpro:xpro_addons_-_140+_widgets_for_elementor:*:*:*:*:*:*:*:*, meaning no version prior to the fix is protected.
Affected Products
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is affected in all versions up to and including 1.4.20. The vulnerability is specific to the Pricing Widget's 'onClick Event' setting parameter. Sites running version 1.4.20 or earlier are vulnerable. The vendor advisory and patch information are available via the Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve and the WordPress plugin changelog at https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons.
Remediation
Upgrade the Xpro Addons - 140+ Widgets for Elementor plugin to version 1.4.21 or later, which includes fixes for input sanitization and output escaping in the Pricing Widget's 'onClick Event' parameter. Site administrators should update via the WordPress plugin management interface (Plugins > Installed Plugins > Xpro Addons, then click Update). For sites unable to update immediately, restrict contributor-level access to trusted users only and audit existing Pricing Widget configurations for suspicious 'onClick Event' values. Review the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve for detailed remediation guidance and the WordPress plugin repository at https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons for confirmation of the patched version.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today