{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8150", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-24T21:50:42.399Z", "datePublished": "2025-08-29T08:25:54.349Z", "dateUpdated": "2026-04-08T17:20:18.520Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:18.520Z"}, "affected": [{"vendor": "nicheaddons", "product": "Events Addon for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3122921-6bea-49e7-b1d7-77a291928497?source=cve"}, {"url": "https://wordpress.org/plugins/events-addon-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3351935/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-28T19:53:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-29T16:23:13.039573Z", "id": "CVE-2025-8150", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-29T16:23:22.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-29T16:23:13.039573Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-29T16:23:18.167Z"}}], "cna": {"title": "Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nicheaddons", "product": "Events Addon for Elementor", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.2.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-28T19:53:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3122921-6bea-49e7-b1d7-77a291928497?source=cve"}, {"url": "https://wordpress.org/plugins/events-addon-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3351935/"}], "descriptions": [{"lang": "en", "value": "The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-29T08:25:54.349Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8150", "state": "PUBLISHED", "dateUpdated": "2025-08-29T16:23:22.584Z", "dateReserved": "2025-07-24T21:50:42.399Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-29T08:25:54.349Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8150", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-29T09:15:33.277", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3351935/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/events-addon-for-elementor/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3122921-6bea-49e7-b1d7-77a291928497?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:55:53.119149+00:00", "value": {"mitigation_remediation": ["Download and install the latest version of Events Addon for Elementor (2.3.0 or later).", "Reduce or remove Contributor permissions for users until the patch is deployed.", "If upgrade is delayed, implement a web application firewall rule that blocks or sanitizes suspicious script strings from widget input fields."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the Events Addon for Elementor by nicheaddons up to and including 2.2.9. No specific sub\u2011versions are listed as outside the affected range.", "description_and_impact": "The Events Addon for Elementor plugin is vulnerable due to insufficient input sanitization and output escaping on user\u2011supplied attributes in its Typewriter and Countdown widgets. The flaw allows authenticated users with Contributor level or higher to inject arbitrary JavaScript that will execute on any page displaying the affected widget. This stored XSS vulnerability is classified as CWE\u201179.", "risk_and_exploitability": "With a CVSS score of 6.4, the threat is moderate but real. The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the flaw is not yet listed in CISA's KEV catalog. The attack vector requires authenticated access with Contributor or higher privileges, meaning that roles with that level of permission should be examined before applying a temporary defense."}}}}, "created": "2025-08-31T08:41:38.074679+00:00", "updated": "2026-04-20T22:00:11.218523+00:00", "vendors": ["nicheaddons", "nicheaddons$PRODUCT$events_addon_for_elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}