WordPress Plugin Vulnerabilities

Master Addons for Elementor < 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Master Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.9.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
master-addons
Fixed in 2.1.0

References

CVE
CVE-2025-63055
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a49ba7e1-ef85-43d6-8685-4cb4e6b7208e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
27df845a-164c-40e4-826a-ec8a80e5824b

Timeline

Publicly Published
2025-12-05 (about 6 months ago)
Added
2025-12-11 (about 6 months ago)
Last Updated
2026-01-27 (about 5 months ago)

Other

Published
Title
Published
2023-09-25
Title
Options for Twenty Seventeen < 2.5.1 - Contributor+ Stored Cross-Site Scripting
Published
2025-07-01
Title
Magic Buttons for Elementor < 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode
Published
2025-10-21
Title
WP Responsive Meet The Team <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-06-27
Title
DL Robots.txt <= 1.2 - Admin+ Stored XSS
Published
2023-07-03
Title
wpForo Forum < 2.1.9 - Reflected Cross-Site Scripting