{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8687", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-06T21:20:01.797Z", "datePublished": "2025-12-13T08:21:14.931Z", "dateUpdated": "2026-04-08T17:18:49.118Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:49.118Z"}, "affected": [{"vendor": "themelooks", "product": "Enter Addons \u2013 Ultimate Template Builder for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Enter Addons <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd6c085-9fd8-43d9-b244-ab91146f610f?source=cve"}, {"url": "https://wordpress.org/plugins/enteraddons/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383539%40enteraddons&new=3383539%40enteraddons&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-12-12T19:38:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:42:46.960818Z", "id": "CVE-2025-8687", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:46:15.237Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:42:46.960818Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:42:47.990Z"}}], "cna": {"title": "Enter Addons <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "themelooks", "product": "Enter Addons \u2013 Ultimate Template Builder for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T19:38:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd6c085-9fd8-43d9-b244-ab91146f610f?source=cve"}, {"url": "https://wordpress.org/plugins/enteraddons/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383539%40enteraddons&new=3383539%40enteraddons&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:49.118Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8687", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:18:49.118Z", "dateReserved": "2025-08-06T21:20:01.797Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T08:21:14.931Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-8687", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:56.280", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383539%40enteraddons&new=3383539%40enteraddons&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/enteraddons/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd6c085-9fd8-43d9-b244-ab91146f610f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:54:53.303674+00:00", "value": {"mitigation_remediation": ["Upgrade Enter Addons to 2.2.8 or later", "If unable to upgrade, revoke contributor-level permissions from users who can edit the widget and remove the Countdown and Image Comparison widgets from active pages", "Review existing pages for injected scripts and clean them manually from the widget\u2019s attributes"], "summary": {"action": "Upgrade", "impact": "Stored Cross\u2011Site Scripting that permits arbitrary script execution"}, "threat_synthesis": {"affected_systems": "All installations of the Enter Addons \u2013 Ultimate Template Builder for Elementor plugin with versions 2.2.7 or earlier running on WordPress are affected. Any user with contributor\u2011level access or higher can trigger the vulnerability. Host environments are unrestricted beyond the plugin\u2019s version and user role.", "description_and_impact": "The Enter Addons plugin is vulnerable to a stored cross\u2011site scripting flaw in its Countdown and Image Comparison widgets. Unsanitized user supplied attributes allow an authenticated contributor or higher to inject malicious scripts that are persisted in site content and executed whenever a page containing the widget is viewed by any visitor. The injected payload can run in the context of the site, enabling cookie theft, session hijacking, defacement, or other client\u2011side attacks.", "risk_and_exploitability": "The base score of 6.4 indicates a moderate severity. The EPSS score of less than 1\u202f% suggests low current exploitation probability, and the flaw is not yet listed in the CISA KEV catalog. Exploitation requires authentication, so the attacker must first obtain at least contributor privileges. Once authenticated, the attacker can embed a script via the widget\u2019s attribute fields which is then stored and executed for all users who view the affected page. No network\u2011bypass or elevated privileges are needed beyond the role ensuring a lower barrier to entry for the attacker but the impact is confined to the site\u2019s front\u2011end execution context."}}}}, "created": "2025-12-14T21:14:40.108517+00:00", "updated": "2026-04-20T19:00:10.695179+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "themelooks", "themelooks$PRODUCT$enter_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}