Essential Addons for Elementor – Popular Elementor Templates and Widgets < 6.1.20 – Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets | CVE 2025-6244 | Plugin Vulnerabilities

Description

The Essential Addons for Elementor – Popular Elementor Templates and Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via `Calendar` And `Business Reviews` Widgets attributes in all versions up to, and including, 6.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

essential-addons-for-elementor-lite

Fixed in 6.1.20

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/847a4fc7-3580-421e-8045-41b5a85f2d97

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Verified

No

WPVDB ID

f4cf788d-a097-4aab-9934-ec6eba25d560

Timeline

Publicly Published

2025-07-07 (about 10 months ago)

Added

2025-07-09 (about 10 months ago)

Last Updated

2025-07-09 (about 10 months ago)

Other

Published

Title

Published

2024-06-07

Title

Pagerank Tools <= 1.1.5 - Reflected XSS

Published

2024-08-19

Title

Pocket Widget <= 0.1.3 - Admin+ Stored XSS

Published

2025-01-17

Title

Image Source Control Lite – Show Image Credits and Captions < 2.28.1 - Reflected Cross-Site Scripting

Published

2025-06-18

Title

Football Pool < 2.12.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-03-25

Title

Exchange Rates Widget < 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting