CVE-2025-48244 MEDIUM

CVE-2025-48244: WordPress Exclusive Addons Elementor plugin <= 2.7.9 - Cross Site Scripting (XSS) Vulnerability

Vendor Tim Strifler
Product Exclusive Addons Elementor
Weakness CWE-79 · XSS
Published May 19, 2025
Last update May 12, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor exclusive-addons-for-elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through <= 2.7.9.

Explanation of Vulnerability in Simple Terms

02Summary

Exclusive Addons Elementor contains a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the site. When other users view affected content, the injected code executes in their browsers. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires administrator privileges and user interaction to exploit.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that execute when other users view the site, potentially stealing credentials or hijacking sessions.

Potential impact on your site

04Site Impact

Administrators can unknowingly inject malicious code affecting all site visitors; restrict admin access to trusted users only.

Conditions required to exploit

05Prerequisites

Attacker must have administrator access and a victim must view a page containing the injected payload.

Key dates

06Disclosure timeline

May 19, 2025 CVE published
May 12, 2026 Record updated