{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8388", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-30T19:24:06.696Z", "datePublished": "2025-09-10T04:22:37.666Z", "dateUpdated": "2026-04-08T16:47:33.398Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:33.398Z"}, "affected": [{"vendor": "ideaboxcreations", "product": "PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.9.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018cursor_url\u2019 parameter in all versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "PowerPack Lite for Elementor <= 2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd8bed0-fcfe-4927-b393-ddabbe8c3e6b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/trunk/extensions/custom-cursor.php#L402"}, {"url": "https://plugins.trac.wordpress.org/changeset/3357005/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-01T04:24:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T13:03:14.065339Z", "id": "CVE-2025-8388", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T13:03:20.716Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-10T13:03:14.065339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T13:03:17.456Z"}}], "cna": {"title": "PowerPack Lite for Elementor <= 2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Via 'cursor_url'", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ideaboxcreations", "product": "PowerPack Elementor Addons (Free Widgets, Extensions and Templates)", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.9.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T04:24:39.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-09T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd8bed0-fcfe-4927-b393-ddabbe8c3e6b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/trunk/extensions/custom-cursor.php#L402"}, {"url": "https://plugins.trac.wordpress.org/changeset/3357005/"}], "descriptions": [{"lang": "en", "value": "The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018cursor_url\u2019 parameter in all versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-10T04:22:37.666Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8388", "state": "PUBLISHED", "dateUpdated": "2025-09-10T13:03:20.716Z", "dateReserved": "2025-07-30T19:24:06.696Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-10T04:22:37.666Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018cursor_url\u2019 parameter in all versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8388", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-10T05:15:31.933", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/trunk/extensions/custom-cursor.php#L402"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3357005/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd8bed0-fcfe-4927-b393-ddabbe8c3e6b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:22:06.872939+00:00", "value": {"mitigation_remediation": ["Upgrade PowerPack Lite for Elementor to the latest available version, which is expected to contain a fix for the stored XSS flaw.", "If an upgrade is not immediately possible, review and remove any custom cursor URLs that contain user\u2011supplied content, or replace them with a neutral URL to prevent script injection.", "Limit the assignment of Contributor or higher roles in WordPress until a patched version is installed or the vulnerability is otherwise mitigated."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Vendor ideaboxcreations provides the PowerPack Addons for Elementor \u2013 a collection of free widgets, extensions, and templates for WordPress. All releases up to and including version 2.9.4 are affected because the \u2018cursor_url\u2019 option remains unsanitized. Versions beyond 2.9.4 are not confirmed in the given data and their status is uncertain.", "description_and_impact": "The PowerPack Elementor Addons plugin contains an insufficiently sanitized \u2018cursor_url\u2019 parameter in all releases up to and including 2.9.4. This flaw enables an authenticated user with Contributor level or higher to store arbitrary JavaScript in the plugin\u2019s settings. When a page that uses the custom cursor is rendered, the injected script executes for every user who views the page, allowing the attacker to modify page content or persist malicious code across visits.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4 and an EPSS score of less than 1%, indicating moderate severity but a very low probability of widespread exploitation at the time of analysis. The attack requires authenticated access at Contributor level or higher, and the injected script is stored and executed automatically whenever an affected page is accessed. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-22T14:30:18.957479+00:00", "updated": "2026-04-22T14:30:18.957490+00:00", "vendors": []}