CVE-2025-3275
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into pages using the Themesflat Addons For Elementor plugin. The injected scripts execute whenever other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using this plugin version 2.2.5 or earlier are affected.
💻 Affected Systems
- Themesflat Addons For Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, redirect visitors to malicious sites, or deploy ransomware payloads to site visitors.
Likely Case
Attackers inject malicious scripts to steal user session cookies, display unwanted advertisements, or redirect users to phishing pages, potentially compromising user accounts and site integrity.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated, preventing any script injection through this vector.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.6 or later
Vendor Advisory: https://wordpress.org/plugins/themesflat-addons-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Themesflat Addons For Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.2.6+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable widget
allTemporarily disable the TF E Slider widget in Elementor settings to prevent exploitation while patching.
Restrict user roles
allTemporarily remove Contributor role access or limit who can create/edit posts.
🧯 If You Can't Patch
- Remove the Themesflat Addons For Elementor plugin entirely and use alternative Elementor addons
- Implement a Web Application Firewall (WAF) with XSS protection rules to block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Themesflat Addons For Elementor' version. If version is 2.2.5 or earlier, you are vulnerable.Check Version:
wp plugin list --name='themesflat-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.2.6 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Elementor endpoints containing script tags or JavaScript payloads
- Multiple page edits by Contributor-level users in short timeframes
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site that weren't present before
SIEM Query:
source="wordpress.log" AND ("tf-flexslider" OR "themesflat-addons") AND ("script" OR "javascript" OR "onclick" OR "onload")🔗 References
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/assets/js/tf-flexslider.js
- https://plugins.trac.wordpress.org/changeset/3268183/themesflat-addons-for-elementor/tags/2.2.2/assets/js/tf-flexslider.js
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4ec73a61-9ae2-4e6f-b1fa-2d61f27d6809?source=cve
