Themesflat Addons For Elementor < 2.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-3275 | Plugin Vulnerabilities

Description

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

themesflat-addons-for-elementor

Fixed in 2.2.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4ec73a61-9ae2-4e6f-b1fa-2d61f27d6809

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

3b8f1bc1-ea42-4f15-9763-64bad15fb285

Timeline

Publicly Published

2025-04-18 (about 1 year ago)

Added

2025-04-18 (about 1 year ago)

Last Updated

2025-04-19 (about 1 year ago)

Other

Published

Title

Published

2016-03-11

Title

DW Question & Answer <= 1.4.2.2 - Stored Cross-Site Scripting (XSS)

Published

2025-05-08

Title

xili-tidy-tags <= 1.12.06 - Reflected Cross-Site Scripting

Published

2024-03-12

Title

WP Go Maps (formerly WP Google Maps) < 9.0.33 - Contributor+ Stored Cross-Site Scripting via Shortcode

Published

2023-03-27

Title

Greenshift < 5.0.0 - Author+ Stored XSS

Published

2022-08-31

Title

Simple Bitcoin Faucets <= 1.7.0 - Unauthorised AJAX Call to Stored XSS