{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8100", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-23T19:32:10.514Z", "datePublished": "2025-08-06T03:40:59.487Z", "dateUpdated": "2026-04-08T16:48:11.047Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:11.047Z"}, "affected": [{"vendor": "bdthemes", "product": "Element Pack \u2013 Widgets, Templates & Addons for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f5d3585-19fe-4e85-87d0-7f4c62944146?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/assets/js/modules/ep-open-street-map.js#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/open-street-map/widgets/open-street-map.php#L498"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3339093%40bdthemes-element-pack-lite&new=3339093%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-07-23T19:47:22.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-05T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T19:27:37.224362Z", "id": "CVE-2025-8100", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T19:27:48.440Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8100", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-06T19:27:37.224362Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T19:27:43.931Z"}}], "cna": {"title": "Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "bdthemes", "product": "Element Pack \u2013 Widgets, Templates & Addons for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-23T19:47:22.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-05T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f5d3585-19fe-4e85-87d0-7f4c62944146?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/assets/js/modules/ep-open-street-map.js#L57"}, {"url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/open-street-map/widgets/open-street-map.php#L498"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3339093%40bdthemes-element-pack-lite&new=3339093%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:11.047Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8100", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:11.047Z", "dateReserved": "2025-07-23T19:32:10.514Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-06T03:40:59.487Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bdthemes:element_pack:*:*:*:*:lite:wordpress:*:*", "matchCriteriaId": "E9EAADEE-209E-4A55-9ED0-9ECBF4389A36", "versionEndExcluding": "8.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Element Pack Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del par\u00e1metro 'marker_content' en versiones hasta la 8.1.5 (incluida), debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8100", "lastModified": "2025-08-13T18:27:30.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-06T04:16:20.830", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/assets/js/modules/ep-open-street-map.js#L57"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modules/open-street-map/widgets/open-street-map.php#L498"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3339093%40bdthemes-element-pack-lite&new=3339093%40bdthemes-element-pack-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f5d3585-19fe-4e85-87d0-7f4c62944146?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:26:29.174532+00:00", "value": {"mitigation_remediation": ["Update Element Pack to version 8.1.6 or later to apply the security fix.", "If an immediate upgrade is not possible, revoke contributor permissions from the Open Street Map widget or whitelist only trusted authors.", "Remove the Element Pack plugin entirely if it is not required for site functionality."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Versions of bdthemes\u2019 Element Pack \u2013 Widgets, Templates & Addons for Elementor up to and including 8.1.5, both the Lite and full builds, are vulnerable. The plugin is installed on WordPress sites and can be upgraded beyond 8.1.5 to remove the flaw.", "description_and_impact": "A stored cross\u2011site scripting flaw was discovered in Element Pack, a WordPress addon for Elementor. The flaw is triggered by the marker_content field of the Open Street Map widget. Input is not properly sanitized or escaped, allowing an attacker to save malicious script payloads. Once a page containing the injected content is viewed, the script executes in the visitor\u2019s browser, potentially stealing session cookies, defacing content, or performing other client\u2011side attacks. This weakness is classified as CWE\u201179.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.4, indicating moderate impact. The EPSS score of less than 1\u202f% suggests a low likelihood of widespread exploitation at present. It is not listed in the CISA KEV catalog. Attackers must be authenticated to the WordPress admin interface with a contributor or higher role, so the prerequisite is user credentials. From there, they can enter and save malicious marker content, which is then rendered for all users who view the affected page. This inferred attack vector requires that the attacker can add or edit the Open Street Map widget\u2014an action typically restricted to higher\u2011privileged contributors."}}}}, "created": "2025-08-06T08:12:46.168765+00:00", "updated": "2026-04-21T19:30:06.091827+00:00", "vendors": ["bdthemes", "bdthemes$PRODUCT$element_pack", "element_pack_elementor_addons_wordpress", "element_pack_elementor_addons_wordpress$PRODUCT$element_pack_elementor_addons_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}