What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor exclusive-addons-for-elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through <= 2.7.9.
Explanation of Vulnerability in Simple Terms
02Summary
Exclusive Addons Elementor contains a stored cross-site scripting (XSS) vulnerability that allows authenticated administrators to inject malicious scripts into the site. When other users view affected content, the injected code executes in their browsers. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. The vulnerability requires administrator privileges and user interaction to exploit.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute when other users view the site, potentially stealing credentials or hijacking sessions.
Potential impact on your site
04Site Impact
Administrators can unknowingly inject malicious code affecting all site visitors; restrict admin access to trusted users only.
Conditions required to exploit
05Prerequisites
Attacker must have administrator access and a victim must view a page containing the injected payload.
Key dates
06Disclosure timeline
May 19, 2025
CVE published
May 12, 2026
Record updated