WordPress Plugin Vulnerabilities

Directorist AddonsKit for Elementor < 1.1.7 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
addonskit-for-elementor
Fixed in 1.1.7

References

CVE
CVE-2025-31857
URL
https://patchstack.com/database/wordpress/plugin/addonskit-for-elementor/vulnerability/wordpress-directorist-addonskit-for-elementor-plugin-1-1-6-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Khalid Yusuf
Verified
No
WPVDB ID
b3e16b37-85ea-468a-9416-161161a546d2

Timeline

Publicly Published
2025-04-01 (about 1 year ago)
Added
2025-04-08 (about 1 year ago)
Last Updated
2025-04-17 (about 1 year ago)

Other

Published
Title
Published
2023-06-02
Title
Contact Form and Calls To Action by vcita < 2.7.1 - Contributor+ Stored Cross-Site Scripting
Published
2024-08-29
Title
Custom Field Template < 2.6.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-14
Title
GSheetConnector for Forminator Forms < 1.0.13 - Reflected XSS
Published
2025-03-28
Title
WP-OGP <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2021-03-26
Title
Vertical News Scroller < 1.17 - Authenticated Reflected Cross-Site Scripting (XSS)