CVE-2025-7498
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into pages using the Exclusive Addons for Elementor plugin's Countdown Widget. The scripts are stored and execute whenever users view the compromised pages, enabling cross-site scripting attacks. All WordPress sites using this plugin up to version 2.7.9.4 are affected.
💻 Affected Systems
- Exclusive Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, perform session hijacking, redirect users to malicious sites, or deface websites by injecting persistent malicious scripts that affect all visitors.
Likely Case
Attackers with contributor access inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts and enabling further attacks.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement or limited data exposure from affected pages.
🎯 Exploit Status
Requires authenticated access (Contributor role or higher). Attackers need to create or edit posts/pages containing the vulnerable Countdown Widget.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.7.9.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Exclusive Addons for Elementor'. 4. Click 'Update Now' if available, or download version 2.7.9.5+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable Countdown Widget
allTemporarily disable the vulnerable Countdown Widget feature until patching is possible
Restrict User Roles
allTemporarily restrict Contributor and Author roles from creating/editing posts containing Elementor widgets
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Review and audit all posts/pages created by Contributor-level users for suspicious content
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Exclusive Addons for Elementor → Version. If version is 2.7.9.4 or lower, you are vulnerable.Check Version:
wp plugin get exclusive-addons-for-elementor --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.7.9.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by Contributor/Authors, especially involving Elementor widgets
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- Unexpected JavaScript payloads in page responses containing Countdown Widgets
- External script calls from pages using Exclusive Addons plugin
SIEM Query:
source="wordpress" AND (event="plugin_update" AND plugin="exclusive-addons-for-elementor" AND version<="2.7.9.4") OR (event="post_edit" AND user_role IN ("contributor","author") AND content CONTAINS "exad-countdown")🔗 References
- https://plugins.trac.wordpress.org/browser/exclusive-addons-for-elementor/trunk/assets/js/exad-scripts.js#L187
- https://plugins.trac.wordpress.org/browser/exclusive-addons-for-elementor/trunk/assets/vendor/js/jquery.countdown.min.js
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3326867%40exclusive-addons-for-elementor&new=3326867%40exclusive-addons-for-elementor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/51d3d738-5c82-4f6b-b8f3-d5af5391b6f6?source=cve
