CVE-2025-69092 – This DOM-based XSS vulnerability in Essential A... (How to Fix)

Q: What is the severity of CVE-2025-69092?

CVE-2025-69092 has a CVSS score of 6.5 (MEDIUM). This DOM-based XSS vulnerability in Essential Addons for Elementor allows attackers to inject malicious scripts into web pages viewed by users. It affects WordPress sites using the Essential Addons for Elementor plugin versions up to 6.5.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This DOM-based XSS vulnerability in Essential Addons for Elementor allows attackers to inject malicious scripts into web pages viewed by users. It affects WordPress sites using the Essential Addons for Elementor plugin versions up to 6.5.3. Attackers can steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

Essential Addons for Elementor Lite (WordPress plugin)

Versions: All versions up to and including 6.5.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin active. Elementor page builder must be installed.

📦 What is this software?

Essential Addons For Elementor by Wpdeveloper

View all CVEs affecting Essential Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive user data.

🟠

Likely Case

Attackers steal user session cookies, redirect visitors to malicious sites, or perform limited actions within user context.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

DOM-based XSS typically requires user interaction but can be triggered via crafted links or forms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.4 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.5.4+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate Essential Addons for Elementor until patched

wp plugin deactivate essential-addons-for-elementor-lite

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: script-src 'self'");

🧯 If You Can't Patch

Implement web application firewall (WAF) with XSS protection rules
Disable user input fields that could trigger the vulnerability

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Essential Addons for Elementor

Check Version:

wp plugin get essential-addons-for-elementor-lite --field=version

Verify Fix Applied:

Confirm plugin version is 6.5.4 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript in POST/GET parameters
Suspicious user-agent strings with script tags
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing script tags in parameters
Unusual redirects to external domains

SIEM Query:

source="web_logs" AND ("<script" OR "javascript:") AND uri_path="*wp-admin*"

📊 Metadata

CVE ID: CVE-2025-69092

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: December 30, 2025

Last Updated: January 29, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69092, you might also want to check these: