aThemes Addons for Elementor < 1.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget | CVE 2025-12837 | Plugin Vulnerabilities

Description

The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

athemes-addons-for-elementor-lite

Fixed in 1.1.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Abu Hurayra (HurayraIIT)

Verified

No

WPVDB ID

173d15be-0212-4905-8284-8d39c47f1e9d

Timeline

Publicly Published

2025-11-07 (about 6 months ago)

Added

2025-11-07 (about 6 months ago)

Last Updated

2025-11-08 (about 6 months ago)

Other

Published

Title

Published

2025-08-11

Title

RT Easy Builder <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-06

Title

Blog Designer – Post and Widget < 2.4.1 - Contributor+ Stored XSS via Shortcode

Published

2020-08-29

Title

Real Estate 7 < 3.0.5 - Unauthenticated Reflected XSS

Published

2023-03-22

Title

InPost Gallery < 2.1.4.2 - Reflected XSS

Published

2023-06-19

Title

Companion Sitemap Generator < 4.5.3 - Reflected XSS