{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6550", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-23T20:02:33.314Z", "datePublished": "2025-06-27T07:22:22.424Z", "dateUpdated": "2026-04-08T16:50:50.222Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:50.222Z"}, "affected": [{"vendor": "webangon", "product": "The Pack Elementor addon", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018slider_options\u2019 parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "The Pack Elementor addon <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af2f136-5806-4d5e-a72d-486c4839a695?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_1/one.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/carousel_parallax/view.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_1/view.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_4/view.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/sliderparallax/view.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_5/one.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3320280/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3321887/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-06-26T19:07:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-27T13:50:48.560006Z", "id": "CVE-2025-6550", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:51:09.167Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6550", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-27T13:50:48.560006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-27T13:50:53.566Z"}}], "cna": {"title": "The Pack Elementor addon <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "webangon", "product": "The Pack Elementor addon", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-26T19:07:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af2f136-5806-4d5e-a72d-486c4839a695?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_1/one.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/carousel_parallax/view.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_1/view.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_4/view.php#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/sliderparallax/view.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_5/one.php#L33"}, {"url": "https://plugins.trac.wordpress.org/changeset/3320280/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3321887/"}], "descriptions": [{"lang": "en", "value": "The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018slider_options\u2019 parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:50.222Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6550", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:50.222Z", "dateReserved": "2025-06-23T20:02:33.314Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-27T07:22:22.424Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webangon:the_pack_elementor_addons:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1D28D0C1-5B64-4CF5-8364-4E146BDCE1B2", "versionEndIncluding": "2.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018slider_options\u2019 parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento The Pack Elementor para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del par\u00e1metro 'slider_options' en todas las versiones hasta la 2.1.3 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6550", "lastModified": "2025-07-08T22:15:28.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-27T08:15:23.053", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/carousel_parallax/view.php#L25"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_1/view.php#L31"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/imgbox_4/view.php#L57"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/sliderparallax/view.php#L37"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_1/one.php#L46"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/the-pack-addon/trunk/includes/widgets/element/testimonial_5/one.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3320280/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3321887/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4af2f136-5806-4d5e-a72d-486c4839a695?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:12:43.320278+00:00", "value": {"mitigation_remediation": ["Apply an official plugin update once a fix is released.", "If an update is not immediately available, remove Contributor\u2011level permissions that allow editing of widget content or revoke access to the slider_options parameter.", "Implement custom input sanitization or a content filtering strategy to escape any JavaScript before rendering the widget content."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows an authenticated Contributor or higher to inject scripts which execute in the browsers of other site users"}, "threat_synthesis": {"affected_systems": "All versions of the plugin up to and including 2.1.4 are vulnerable. The plugin is distributed by webangon as a WordPress extension that can be deployed on any WordPress site that includes it.", "description_and_impact": "This flaw resides in the \u2018slider_options\u2019 parameter of the The Pack Elementor addon for WordPress. Insufficient sanitization and escaping permit stored XSS, enabling a logged\u2011in user with Contributor\u2011level access or higher to embed arbitrary JavaScript into page content. When any visitor opens the affected page, the script runs in their browser, potentially exposing session cookies, credential phishing, or arbitrary actions on behalf of the user.", "risk_and_exploitability": "The CVSS score is 6.4 and the EPSS value is less than 1%, indicating a moderate severity but a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Because exploitation requires authenticated Contributor or higher access, an attacker only gains this capability if they have already compromised a WordPress role with sufficient privileges or if an attacker can elevate through other means. The likely attack vector is a legitimate contributor adding or editing widget content that includes malicious code, leading to widespread script execution for all users who view the page."}}}}, "created": "2026-04-22T01:15:07.314135+00:00", "updated": "2026-04-22T01:15:07.314146+00:00", "vendors": []}