{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12837", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T20:06:06.183Z", "datePublished": "2025-11-08T09:28:10.706Z", "dateUpdated": "2026-04-08T17:01:22.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:22.443Z"}, "affected": [{"vendor": "smub", "product": "aThemes Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.5/inc/modules/widgets/call-to-action/class-call-to-action.php#L938"}, {"url": "https://wordpress.org/plugins/athemes-addons-for-elementor-lite/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391638%40athemes-addons-for-elementor-lite&old=3382628%40athemes-addons-for-elementor-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra"}], "timeline": [{"time": "2025-11-06T20:21:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T20:47:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:07:13.119123Z", "id": "CVE-2025-12837", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:13:48.536Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12837", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T14:07:13.119123Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:07:19.353Z"}}], "cna": {"title": "aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget", "credits": [{"lang": "en", "type": "finder", "value": "Abu Hurayra"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "aThemes Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T20:21:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T20:47:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.5/inc/modules/widgets/call-to-action/class-call-to-action.php#L938"}, {"url": "https://wordpress.org/plugins/athemes-addons-for-elementor-lite/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391638%40athemes-addons-for-elementor-lite&old=3382628%40athemes-addons-for-elementor-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:22.443Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12837", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:22.443Z", "dateReserved": "2025-11-06T20:06:06.183Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T09:28:10.706Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12837", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T10:15:41.877", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.5/inc/modules/widgets/call-to-action/class-call-to-action.php#L938"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391638%40athemes-addons-for-elementor-lite&old=3382628%40athemes-addons-for-elementor-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/athemes-addons-for-elementor-lite/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:33:39.538858+00:00", "value": {"mitigation_remediation": ["Update the aThemes Addons for Elementor plugin to version 1.1.6 or later to remove the vulnerable code", "If an update cannot be applied immediately, remove or disable the Call To Action widget for contributors, or restrict the contributor role to read\u2011only access so the widget cannot be modified", "Deploy a Content Security Policy that restricts inline script execution and disallows scripts from untrusted sources as a temporary protective measure"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross-Site Scripting allowing authenticated contributors to inject arbitrary scripts"}, "threat_synthesis": {"affected_systems": "All WordPress sites running aThemes Addons for Elementor version 1.1.5 or earlier are affected. No specific hardware or OS requirements are mentioned; the flaw exists purely in the plugin\u2019s PHP code that renders widget output.", "description_and_impact": "The aThemes Addons for Elementor plugin suffers from insufficient sanitization and escaping in its Call To Action widget, leading to stored Cross\u2011Site Scripting. An authenticated contributor or higher can embed malicious scripts in widget content that will run in the browsers of any visitor to the affected page, potentially enabling session hijacking, defacement, or data theft.", "risk_and_exploitability": "The CVSS score of 6.4 classifies the issue as a medium\u2011severity vulnerability. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid contributor\u2011level credentials and user interaction with the vulnerable widget, making it more limited compared to publicly exploitable flaws."}}}}, "created": "2025-11-10T09:33:23.379243+00:00", "updated": "2026-04-21T18:45:06.072688+00:00", "vendors": ["athemes", "athemes$PRODUCT$athemes_addons_for_elementor", "elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}