{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-2108", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-07T21:07:23.239Z", "datePublished": "2025-03-20T06:54:57.470Z", "dateUpdated": "2026-04-08T16:32:21.394Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:21.394Z"}, "affected": [{"vendor": "xpro", "product": "Xpro Addons \u2014 140+ Widgets for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.7.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The 140+ Widgets | Xpro Addons For Elementor \u2013 FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Site Title\u2019 widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "140+ Widgets | Xpro Addons For Elementor \u2013 FREE <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/009b9b0d-6cbd-402e-bc81-24661ff16b9d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/site-title/layout/frontend.php#L29"}, {"url": "https://plugins.trac.wordpress.org/changeset/3255986/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Prissy Mesh"}], "timeline": [{"time": "2025-03-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T15:02:43.187270Z", "id": "CVE-2025-2108", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:02:48.150Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-20T15:02:43.187270Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T15:02:33.968Z"}}], "cna": {"title": "140+ Widgets | Xpro Addons For Elementor \u2013 FREE <= 1.4.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Site Title' widget", "credits": [{"lang": "en", "type": "finder", "value": "Prissy Mesh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xpro", "product": "140+ Widgets | Xpro Addons For Elementor \u2013 FREE", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.4.7.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-19T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/009b9b0d-6cbd-402e-bc81-24661ff16b9d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/site-title/layout/frontend.php#L29"}, {"url": "https://plugins.trac.wordpress.org/changeset/3255986/"}], "descriptions": [{"lang": "en", "value": "The 140+ Widgets | Xpro Addons For Elementor \u2013 FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Site Title\u2019 widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-20T06:54:57.470Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2108", "state": "PUBLISHED", "dateUpdated": "2025-03-20T15:02:48.150Z", "dateReserved": "2025-03-07T21:07:23.239Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-20T06:54:57.470Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The 140+ Widgets | Xpro Addons For Elementor \u2013 FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Site Title\u2019 widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento 140+ Widgets | Xpro Addons For Elementor \u2013 FREE para Elementor es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de los par\u00e1metros \"title_tag\" y \"html_tag\" del widget \"T\u00edtulo del sitio\" en todas las versiones hasta la 1.4.6.8 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar secuencias de comandos web arbitrarias en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-2108", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-20T07:15:38.187", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk/widgets/site-title/layout/frontend.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3255986/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/009b9b0d-6cbd-402e-bc81-24661ff16b9d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:46:23.272274+00:00", "value": {"mitigation_remediation": ["Upgrade Xpro Addons to any version newer than 1.4.6.8, preferably 1.4.7.1 or later.", "If an upgrade is not immediately possible, restrict Contributors from using the Site Title widget or remove the widget entirely from their editing capabilities.", "Deploy a Web Application Firewall that blocks or sanitizes dangerous payloads in the title_tag and html_tag fields."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All systems running Xpro Addons \u2013 140+ Widgets for Elementor up to and including version 1.4.6.8 are susceptible. The issue does not affect newer releases such as 1.4.7.1 and later.", "description_and_impact": "The \u2019Site Title\u2019 widget in Xpro Addons for Elementor allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript through its title_tag and html_tag fields because the input is not properly sanitized or escaped. When the affected page is viewed, the malicious script runs in the visitor\u2019s browser, giving the attacker potential to steal credentials, hijack sessions, or perform defacement. This is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 6.4, the vulnerability carries a moderate risk to confidentiality, integrity, and availability. The EPSS score is below 1\u2009%, indicating a low probability of active exploitation today, and the flaw is not listed in the CISA KEV catalog. However, because the attack requires only Contributor\u2011level access, an attacker who can compromise a legitimate contributor account can embed malicious code that will execute for anyone who views the affected page. The stored nature of the flaw means the damage persists until the plugin is patched or the content sanitized."}}}}, "created": "2026-04-22T18:00:05.474435+00:00", "updated": "2026-04-22T18:00:05.474446+00:00", "vendors": []}