{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7646", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T16:25:15.476Z", "datePublished": "2025-08-01T06:44:31.601Z", "dateUpdated": "2026-04-08T16:54:40.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:40.200Z"}, "affected": [{"vendor": "posimyththemes", "product": "The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.3.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58fcab5e-c82e-4072-9a86-94a7f18a6e56?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.3.11/modules/widgets/tp_hovercard.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-07-14T16:46:40.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-31T17:40:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-01T13:12:46.858239Z", "id": "CVE-2025-7646", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T13:13:02.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7646", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-01T13:12:46.858239Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-01T13:12:55.913Z"}}], "cna": {"title": "The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "posimyththemes", "product": "The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.3.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-14T16:46:40.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-31T17:40:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58fcab5e-c82e-4072-9a86-94a7f18a6e56?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.3.11/modules/widgets/tp_hovercard.php"}], "descriptions": [{"lang": "en", "value": "The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:40.200Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7646", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:54:40.200Z", "dateReserved": "2025-07-14T16:25:15.476Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-01T06:44:31.601Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento The Plus Addons for Elementor \u2013 Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce para WordPress es vulnerable a Cross-site Scripting almacenado mediante el par\u00e1metro de script personalizado en todas las versiones hasta la 6.3.10 incluida, incluso si el usuario no tiene la funci\u00f3n unfiltered_html. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder a una p\u00e1gina inyectada."}], "id": "CVE-2025-7646", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-01T07:15:32.990", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.3.11/modules/widgets/tp_hovercard.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/58fcab5e-c82e-4072-9a86-94a7f18a6e56?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:45:30.958352+00:00", "value": {"mitigation_remediation": ["Upgrade The Plus Addons for Elementor to version 6.3.11 or later, which removes the unsafe custom script parameter.", "Immediately disable or delete any custom script settings added by contributors until a patch is applied.", "Review user roles and remove Contributor or higher permissions from non\u2011trusted users, or use a role\u2011management tool to strip the capability that allows storing custom scripts.", "Configure a web application firewall or content filtering plugin to block injected script tags in Elementor content."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all WordPress sites running the Plus Addons for Elementor plugin from its initial release through version 6.3.10, issued by the vendor Posimyththemes. The flaw is present in the core widget code and page template configuration. Site administrators must check any installation that uses this plugin version and be aware that any user with Contributor or higher permissions is a threat actor.", "description_and_impact": "The Plus Addons for Elementor plugin contains a stored cross\u2011site scripting flaw that enables an authenticated user with a Contributor role or higher to inject arbitrary JavaScript through the custom script parameter in all versions up to 6.3.10, even when the unfiltered_html capability is disabled. An attacker who can write or edit content can embed malicious code that will execute whenever any visitor views the affected page, potentially compromising user sessions and data.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and the EPSS score of < 1% suggests a low probability of exploitation under normal circumstances. However, the flaw can be exploited by anyone who can add or edit Elementor content, and the attack does not require unauthenticated access. Because the vulnerability is stored, it affects all visitors who load the compromised page. The bug is not currently listed in the CISA KEV catalog, but site owners are advised to monitor threat feeds for emerging exploitation activity."}}}}, "created": "2026-04-21T04:00:10.051355+00:00", "updated": "2026-04-21T04:00:10.051390+00:00", "vendors": []}