{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6252", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-18T19:37:05.618Z", "datePublished": "2025-06-28T04:21:32.752Z", "dateUpdated": "2026-04-08T16:35:36.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:36.134Z"}, "affected": [{"vendor": "qodeinteractive", "product": "Qi Addons For Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Qi Addons For Elementor <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ef82a52-0a32-4dc4-b027-3d2098549404?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qi-addons-for-elementor/trunk/assets/js/main.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3318746%40qi-addons-for-elementor%2Ftrunk&old=3308494%40qi-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-06-26T15:40:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-27T16:10:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-30T18:32:16.178380Z", "id": "CVE-2025-6252", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T18:32:27.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6252", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-30T18:32:16.178380Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T18:32:21.113Z"}}], "cna": {"title": "Qi Addons For Elementor <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "qodeinteractive", "product": "Qi Addons For Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-26T15:40:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-27T16:10:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ef82a52-0a32-4dc4-b027-3d2098549404?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/qi-addons-for-elementor/trunk/assets/js/main.js"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3318746%40qi-addons-for-elementor%2Ftrunk&old=3308494%40qi-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:36.134Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6252", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:35:36.134Z", "dateReserved": "2025-06-18T19:37:05.618Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-28T04:21:32.752Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qodeinteractive:qi_addons_for_elementor:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "79C4AF0F-304A-44E7-A770-4BC1B483A0CE", "versionEndExcluding": "1.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Qi Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de varios par\u00e1metros en todas las versiones hasta la 1.9.1 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6252", "lastModified": "2025-07-07T14:51:20.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-28T05:15:24.710", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/qi-addons-for-elementor/trunk/assets/js/main.js"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3318746%40qi-addons-for-elementor%2Ftrunk&old=3308494%40qi-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0ef82a52-0a32-4dc4-b027-3d2098549404?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:46:45.562457+00:00", "value": {"mitigation_remediation": ["Update Qi Addons For Elementor to a version above 1.9.1", "If an update is not immediately possible, remove or disable the plugin on all sites until the fix is applied", "Restrict Contributor\u2011level access or remove untrusted contributors from sites where the plugin is installed"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have the Qi Addons For Elementor plugin installed and running a vulnerable version (1.9.1 or earlier). The vendor is qodeinteractive, and the product is Qi Addons For Elementor. These sites typically rely on the plugin to add advanced elements to pages, and the vulnerability lives within server\u2011side stored content that is rendered back to visitors.", "description_and_impact": "The vulnerability exists in Qi Addons For Elementor plugin for WordPress, affecting all versions up to 1.9.1. Insufficient input sanitization and output escaping allows an attacker who can add or edit content\u2014any user with Contributor or higher role\u2014to store malicious JavaScript in plugin\u2011managed fields. When a page containing the injected data is later loaded by another visitor, the script executes in that visitor\u2019s browser, enabling session hijacking, credential theft, or defacement. This is a classic stored cross\u2011site scripting (CWE\u201179) flaw.", "risk_and_exploitability": "The CVSS score of 6.4 reflects moderate severity, and the EPSS score of less than 1\u202f% suggests a low current exploitation probability. The flaw is not listed in CISA\u2019s KEV catalogue. Exploitation requires the attacker to be authenticated with at least Contributor access, so the threat surface is limited to trusted users or compromised contributor accounts. Nonetheless an attacker who gains such an account can place malicious payloads that will run for every visitor to the affected page, providing ample opportunities for phishing, credential stealing, or spreading further malware."}}}}, "created": "2025-07-06T22:16:31.006555+00:00", "updated": "2026-04-22T15:00:05.605319+00:00", "vendors": ["qodeinteractive", "qodeinteractive$PRODUCT$qi_addons_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}