{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8451", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-31T21:53:11.940Z", "datePublished": "2025-08-15T06:40:41.711Z", "dateUpdated": "2026-04-08T16:50:23.826Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:23.826Z"}, "affected": [{"vendor": "wpdevteam", "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the \u2018data-gallery-items\u2019 parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Essential Addons for Elementor \u2013 Popular Elementor Templates and Widgets <= 6.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'data-gallery-items'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4917652a-1c83-4570-98c5-1a34e637814e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/view/filterable-gallery.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3344071/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-07-31T22:09:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-14T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T12:09:20.921049Z", "id": "CVE-2025-8451", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T12:09:25.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-15T12:09:20.921049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T12:09:22.983Z"}}], "cna": {"title": "Essential Addons for Elementor \u2013 Popular Elementor Templates and Widgets <= 6.2.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'data-gallery-items'", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpdevteam", "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-31T22:09:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-14T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4917652a-1c83-4570-98c5-1a34e637814e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/view/filterable-gallery.js"}, {"url": "https://plugins.trac.wordpress.org/changeset/3344071/"}], "descriptions": [{"lang": "en", "value": "The Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the \u2018data-gallery-items\u2019 parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:23.826Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8451", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:23.826Z", "dateReserved": "2025-07-31T21:53:11.940Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-15T06:40:41.711Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the \u2018data-gallery-items\u2019 parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Essential Addons for Elementor \u2013 Popular Elementor Templates &amp; Widgets para WordPress es vulnerable a Cross-Site Scripting almacenado basadas en DOM a trav\u00e9s del par\u00e1metro 'data-gallery-items' en todas las versiones hasta la 6.2.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8451", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-15T07:15:29.160", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/view/filterable-gallery.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3344071/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4917652a-1c83-4570-98c5-1a34e637814e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:33:59.378360+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version\u00a06.3.0 or newer, which removes the vulnerable handling of data\u2011gallery\u2011items.", "If an upgrade is not possible, restrict Contributor and higher roles from editing gallery items, or disable the gallery feature entirely.", "Implement a strict Content Security Policy that disallows inline script execution, or use a web application firewall rule to block the data\u2011gallery\u2011items parameter from containing script delimiters."], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets plugin from vendor wpdevteam, specifically any versions through 6.2.2. The vulnerability is present in all releases up to and inclusive of 6.2.2", "description_and_impact": "The vulnerability is a DOM\u2011Based Stored Cross\u2011Site Scripting flaw triggered by the data\u2011gallery\u2011items parameter in the Essential Addons for Elementor \u2013 Popular Elementor Templates & Widgets plugin. Because the plugin does not properly sanitize or escape user input, an attacker can embed malicious JavaScript that is persisted in a gallery and executed in the browsers of any visitor to the affected page. This enables script execution in the context of the site, potentially leading to cookie theft, session hijacking, or defacement. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1\u202f% suggests that exploitation is currently rare. Attackers need authenticated Contributor\u2011level access to inject the payload, and the injected code runs only when a user views the affected page, so the risk is mainly client\u2011side. The vulnerability is not listed in the CISA KEV catalog, and no publicly available exploit is documented."}}}}, "created": "2025-08-16T21:40:48.712145+00:00", "updated": "2026-04-21T03:45:27.372134+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}