The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 6.3.11 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-7646 | Plugin Vulnerabilities

Description

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

the-plus-addons-for-elementor-page-builder

Fixed in 6.3.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/58fcab5e-c82e-4072-9a86-94a7f18a6e56

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zer0gh0st

Verified

No

WPVDB ID

79d49204-4894-4efe-bcb3-2851e31c1f02

Timeline

Publicly Published

2025-07-31 (about 8 months ago)

Added

2025-07-31 (about 8 months ago)

Last Updated

2025-08-01 (about 8 months ago)

Other

Published

Title

Published

2025-04-21

Title

Ocean Extra < 2.4.7 - Contributor+ Stored XSS via Shortcode

Published

2024-02-27

Title

Custom fields shortcode <= 0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Published

2024-03-13

Title

Otter Blocks < 2.6.5 - Contributor+ Stored Cross-Site Scripting

Published

2024-10-14

Title

El mejor Cluster < 1.1.16 - Contributor+ Stored XSS

Published

2023-08-10

Title

Post Timeline < 2.2.6 - Reflected XSS