{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8874", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-11T18:41:30.150Z", "datePublished": "2025-08-12T06:42:41.228Z", "dateUpdated": "2026-04-08T16:49:28.128Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:28.128Z"}, "affected": [{"vendor": "litonice13", "product": "Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.9.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e4fb1b-eed4-4ef9-9856-7c5095117aa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/vendor/fancybox/jquery.fancybox.min.js"}, {"url": "https://plugins.trac.wordpress.org/log/master-addons/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340128%40master-addons&new=3340128%40master-addons&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338452%40master-addons&new=3338452%40master-addons&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-06-19T07:23:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-11T18:42:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T19:53:33.779539Z", "id": "CVE-2025-8874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T20:06:12.559Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T19:53:33.779539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T20:06:01.081Z"}}], "cna": {"title": "Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations <= 2.0.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via fancyBox", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "litonice13", "product": "Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.9.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-19T07:23:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-11T18:42:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e4fb1b-eed4-4ef9-9856-7c5095117aa7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/vendor/fancybox/jquery.fancybox.min.js"}, {"url": "https://plugins.trac.wordpress.org/log/master-addons/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340128%40master-addons&new=3340128%40master-addons&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338452%40master-addons&new=3338452%40master-addons&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:28.128Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8874", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:28.128Z", "dateReserved": "2025-08-11T18:41:30.150Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T06:42:41.228Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Master Addons \u2013 Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, &amp; Animations para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s de varios widgets en todas las versiones hasta la 2.0.8.6 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de Colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-8874", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T07:15:30.943", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/vendor/fancybox/jquery.fancybox.min.js"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338452%40master-addons&new=3338452%40master-addons&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3340128%40master-addons&new=3340128%40master-addons&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/log/master-addons/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44e4fb1b-eed4-4ef9-9856-7c5095117aa7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:24:20.709770+00:00", "value": {"mitigation_remediation": ["Update Master Addons to the latest plugin version that fixes the XSS issue.", "If an update is not available, remove or deactivate the widgets that allow arbitrary JavaScript insertion, especially the fancyBox widget.", "Limit Contributor and higher roles from accessing the plugin\u2019s widget editing features, or disable the problematic widgets for those roles.", "Conduct a full scan of the database for previously injected scripts and purge them from affected content."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Master Addons for Elementor plugin version 2.0.8.6 or earlier are affected. It is a plugin for the WordPress CMS, named Master Addons for Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder & Template Kits, which is maintained by the vendor litonice13.", "description_and_impact": "The vulnerability enables an authenticated user with Contributor level or higher to embed JavaScript into the plugin\u2019s widgets. The injected script is stored in the database and executed whenever a user views the affected page. This can potentially allow an attacker to steal credentials, deface content, or perform other malicious actions; these effects are inferred from typical XSS exploit scenarios. The flaw stems from insufficient input sanitization and output escaping when rendering the fancyBox widget, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been reported. However, because the attack requires authenticated Contributor access, sites with a broad Contributor user base are at heightened risk. Exploitation is straightforward once the role is obtained, as the injected code is executed automatically when any user accesses the page containing the widget."}}}}, "created": "2026-04-21T19:30:06.089271+00:00", "updated": "2026-04-21T19:30:06.089290+00:00", "vendors": []}