EUVD-2025-209215
GHSA-6pg6-wx4c-whr2
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.
Technical ContextAI
This vulnerability exploits inadequate input validation and output encoding in WordPress plugin development. The Pricing Widget's 'onClick Event' parameter accepts user input without proper sanitization before storage in the WordPress database, and fails to escape the output when rendering the parameter on the frontend. This violates the WordPress security principle of validating input and escaping output (VIPV). The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common weakness in dynamic web applications where user-controllable data reaches an HTML or JavaScript context without sanitization. The vulnerability affects the Xpro Addons plugin across all versions up to 1.4.20, as identified by the CPE cpe:2.3:a:xpro:xpro_addons_-_140+_widgets_for_elementor:*:*:*:*:*:*:*:*, meaning no version prior to the fix is protected.
RemediationAI
Upgrade the Xpro Addons - 140+ Widgets for Elementor plugin to version 1.4.21 or later, which includes fixes for input sanitization and output escaping in the Pricing Widget's 'onClick Event' parameter. Site administrators should update via the WordPress plugin management interface (Plugins > Installed Plugins > Xpro Addons, then click Update). For sites unable to update immediately, restrict contributor-level access to trusted users only and audit existing Pricing Widget configurations for suspicious 'onClick Event' values. Review the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve for detailed remediation guidance and the WordPress plugin repository at https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons for confirmation of the patched version.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today