CVE-2025-13977 – This stored XSS vulnerability in the Essential ... (How to Fix)

Q: What is the severity of CVE-2025-13977?

CVE-2025-13977 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the Essential Addons for Elementor WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. The scripts execute automatically when users visit compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This stored XSS vulnerability in the Essential Addons for Elementor WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. The scripts execute automatically when users visit compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Essential Addons for Elementor – Popular Elementor Templates & Widgets

Versions: All versions up to and including 6.5.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Contributor-level or higher authenticated access. Affects both free and premium versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over websites, redirect users to malicious sites, or deploy malware to visitors' browsers.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts that steal user session data or perform unauthorized actions on behalf of users visiting compromised pages.

🟢

If Mitigated

With proper user role management and input validation, impact is limited to script execution in browser context only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once attacker has Contributor-level credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.4 and later

Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.5.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable widgets

all

Temporarily disable the Event Calendar widget and Image Masking module in plugin settings

Restrict user roles

all

Remove Contributor-level access for untrusted users and implement least privilege principles

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with XSS protection rules
Enable Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Essential Addons for Elementor → Version number. If version is 6.5.3 or lower, you are vulnerable.

Check Version:

wp plugin list --name='essential-addons-for-elementor' --field=version

Verify Fix Applied:

After updating, verify version is 6.5.4 or higher in WordPress plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin-ajax.php with plugin-specific parameters
Suspicious JavaScript in page content or database entries

Network Indicators:

Unexpected script tags loading from your domain
Suspicious outbound connections from user browsers after visiting your site

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND (param="eael_event_calendar" OR param="eael_image_masking"))

📊 Metadata

CVE ID: CVE-2025-13977

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: December 17, 2025

Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13977, you might also want to check these: