CVE-2025-8100
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious JavaScript into web pages using the Element Pack plugin's Open Street Map module. The injected scripts execute whenever users visit the compromised pages, enabling session hijacking, defacement, or malware distribution. WordPress sites using Element Pack Elementor Addons and Templates plugin versions 8.1.5 and earlier are affected.
💻 Affected Systems
- Element Pack Elementor Addons and Templates for WordPress
📦 What is this software?
Element Pack by Bdthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator sessions, install backdoors, redirect users to malicious sites, or deface the entire website, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with contributor access inject malicious scripts to steal user sessions, display unwanted content, or redirect visitors to phishing/malware sites, damaging site reputation and user trust.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated page defacement or minor content manipulation without broader site compromise.
🎯 Exploit Status
Requires authenticated access (contributor or higher) and knowledge of WordPress/Elementor structure. Exploitation involves injecting scripts via the marker_content parameter in Open Street Map widgets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Element Pack Elementor Addons and Templates'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Verify version is 8.1.6 or higher.
🔧 Temporary Workarounds
Disable Open Street Map Module
allTemporarily disable the vulnerable Open Street Map module to prevent exploitation while planning update.
Implement Content Security Policy
ApacheAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com;"
🧯 If You Can't Patch
- Restrict user roles: Remove contributor access or limit to trusted users only.
- Monitor and audit: Regularly review page content and user activity logs for suspicious changes.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Element Pack > Version. If version is 8.1.5 or lower, site is vulnerable.Check Version:
wp plugin list --name="Element Pack" --field=versionVerify Fix Applied:
After update, confirm version is 8.1.6 or higher in WordPress plugins list. Test Open Street Map widget functionality remains intact.📡 Detection & Monitoring
Log Indicators:
- Unusual content updates by contributor-level users
- JavaScript injection patterns in page content
- Multiple rapid edits to Open Street Map widgets
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious POST requests to wp-admin/post.php with marker_content parameter
SIEM Query:
source="wordpress.log" AND ("marker_content" OR "open-street-map") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/assets/js/modules/ep-open-street-map.js#L57
- https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/open-street-map/widgets/open-street-map.php#L498
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3339093%40bdthemes-element-pack-lite&new=3339093%40bdthemes-element-pack-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3f5d3585-19fe-4e85-87d0-7f4c62944146?source=cve
