WordPress Plugin Vulnerabilities

Ultimate Addons for Elementor Lite < 2.5.0 - Author+ Stored XSS

Description

The plugin does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
header-footer-elementor
Fixed in 2.5.0

References

CVE
CVE-2025-9703

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Tony
Submitter
Tony
Verified
Yes
WPVDB ID
4332d49b-d58c-4728-afab-6757ff9e43ee

Timeline

Publicly Published
2025-09-15 (about 3 months ago)
Added
2025-09-15 (about 3 months ago)
Last Updated
2025-09-15 (about 3 months ago)

Other

Published
Title
Published
2025-10-02
Title
A Simple Multilanguage Plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-07
Title
Yellow Yard < 2.8.12 - Contributor+ Stored XSS
Published
2022-12-23
Title
Super Socializer < 7.13.44 - Contributor+ Stored XSS
Published
2022-07-18
Title
YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
Published
2025-02-21
Title
WPYog Documents < 1.3.6 - Reflected Cross-Site Scripting