CVE-2025-2108
📋 TL;DR
This stored XSS vulnerability in the Xpro Elementor Addons WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users view the compromised pages, potentially stealing session cookies or redirecting visitors. All WordPress sites using this plugin up to version 1.4.6.8 are affected.
💻 Affected Systems
- 140+ Widgets | Xpro Addons For Elementor – FREE WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malicious sites.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal user session data, display unwanted ads, or redirect users to phishing pages.
If Mitigated
With proper user access controls and regular monitoring, impact is limited to potential defacement or minor data leakage from affected pages.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. Public proof-of-concept exists in the WordPress patch commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.6.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3255986/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Xpro Elementor Addons'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.4.6.9+ from WordPress.org.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the plugin until patched
wp plugin deactivate xpro-elementor-addons
wp plugin delete xpro-elementor-addons
Restrict user roles
allTemporarily remove Contributor and Author roles or limit their capabilities
wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Install web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.4.6.8 or lower, you are vulnerable.Check Version:
wp plugin get xpro-elementor-addons --field=versionVerify Fix Applied:
Verify plugin version is 1.4.6.9 or higher. Check that 'title_tag' and 'html_tag' parameters in Site Title widget now properly escape output.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with Xpro plugin parameters
- Multiple page edits by Contributor-level users in short time
Network Indicators:
- Script tags with unusual attributes in page responses
- External JavaScript loading from unexpected domains
SIEM Query:
source="wordpress.log" AND ("xpro" OR "site-title") AND ("POST" OR "admin-ajax")