CVE-2025-12837
Description
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in aThemes Addons for Elementor Call To Action widget allows authenticated attackers with contributor+ access to inject malicious scripts.
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in the Call To Action widget. The root cause is insufficient input sanitization and output escaping on user-supplied values, allowing arbitrary scripts to be stored in the widget's settings [1].
To exploit this vulnerability, an attacker must have contributor-level or higher permissions in WordPress. The attacker can inject malicious JavaScript code into the Call To Action widget, which will be stored and executed whenever a user accesses the affected page.
Successful exploitation enables the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, website defacement, or redirection to malicious sites, potentially compromising the site and its users.
The vulnerability affects all versions up to and including 1.1.5. Users should update to a patched version as soon as possible. If no patch is available, administrators should restrict contributor access or disable the Call To Action widget temporarily.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.5/inc/modules/widgets/call-to-action/class-call-to-action.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/athemes-addons-for-elementor-lite/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861nvd
News mentions
0No linked articles in our index yet.