{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8215", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-25T20:37:35.696Z", "datePublished": "2025-09-11T07:24:58.353Z", "dateUpdated": "2026-04-08T17:18:55.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:55.370Z"}, "affected": [{"vendor": "cyberchimps", "product": "Responsive Addons for Elementor \u2013 Free Elementor Addons, Kits and Elementor Templates", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Responsive Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd3dbc56-4833-4b5d-bd6c-facc3e1878ea?source=cve"}, {"url": "https://wordpress.org/plugins/responsive-addons-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360599%40responsive-addons-for-elementor&new=3360599%40responsive-addons-for-elementor&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-09-10T18:49:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:44:36.241365Z", "id": "CVE-2025-8215", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:38:20.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:44:36.241365Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:44:38.468Z"}}], "cna": {"title": "Responsive Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "cyberchimps", "product": "Responsive Addons for Elementor \u2013 Free Elementor Addons, Kits and Elementor Templates", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T18:49:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd3dbc56-4833-4b5d-bd6c-facc3e1878ea?source=cve"}, {"url": "https://wordpress.org/plugins/responsive-addons-for-elementor/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360599%40responsive-addons-for-elementor&new=3360599%40responsive-addons-for-elementor&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:55.370Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8215", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:55.370Z", "dateReserved": "2025-07-25T20:37:35.696Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:24:58.353Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8215", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:32.700", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3360599%40responsive-addons-for-elementor&new=3360599%40responsive-addons-for-elementor&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/responsive-addons-for-elementor/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd3dbc56-4833-4b5d-bd6c-facc3e1878ea?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:52:07.880038+00:00", "value": {"mitigation_remediation": ["Upgrade to version 2.0.2 or later of the Responsive Addons for Elementor plugin, or remove the plugin if an upgrade is unavailable.", "Audit all pages that use the plugin widgets and remove or neutralize any injected scripts left by contributors.", "Limit contributor access by assigning stricter roles or reviewing contributor accounts for suspicious activity."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Responsive Addons for Elementor WordPress plugin for all releases up to and including version 2.0.1. Any site that has this plugin installed prior to a later update is potentially exposed; administrators should verify the installed version and confirm it is not within the affected range.", "description_and_impact": "The Responsive Addons for Elementor plugin is vulnerable to stored cross\u2011site scripting because it fails to sanitize or escape user\u2011supplied attributes in multiple widgets. Authenticated attackers with contributor level access or higher can inject arbitrary JavaScript that will execute whenever a page containing the malicious widget is viewed. Based on the nature of stored XSS, the injected script could potentially be used to hijack user sessions, steal credentials, or deface page content; these consequences are inferred from common XSS impact scenarios rather than explicitly stated in the CVE description.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity threat, and the EPSS score of less than 1% suggests that exploitation is currently rare. It is not listed in the CISA KEV catalog. Attackers would need to authenticate to the WordPress administrative interface with contributor or higher privileges, so the primary vector is through legitimate site management activity. Despite the low exploitation probability, any compromised contributor account can inject malicious content, making prompt remediation advisable."}}}}, "created": "2025-09-12T09:11:20.723948+00:00", "updated": "2026-04-20T22:00:11.192198+00:00", "vendors": ["cyberchimps", "cyberchimps$PRODUCT$responsive", "cyberchimps$PRODUCT$responsive_addons", "cyberchimps$PRODUCT$responsive_addons_for_elementor", "elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}