CVE-2025-46472

Vulnerability

Details The Pack Elementor addons plugin for WordPress (the-pack-addon) is affected by a stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1.6. The issue stems from improper neutralization of user-supplied input during web page generation, allowing arbitrary JavaScript to be stored and executed when the page is viewed [1].

Exploitation

To exploit this vulnerability, an attacker must have a role with sufficient privileges to submit or edit content (e.g., author or editor). The attack requires user interaction—a privileged user must perform an action such as clicking a malicious link or submitting a crafted form. Once the malicious script is stored, it will execute in the browsers of any visitor accessing the affected page [1].

Impact

Successful exploitation permits an attacker to inject arbitrary scripts, including redirects, advertisements, and other HTML payloads. This can lead to site defacement, session hijacking, or phishing attacks on users who visit the compromised page. The vulnerability is rated medium severity with a CVSS v3 score of 6.5 [1].

Mitigation

The vendor has released a patch; users are strongly advised to update the plugin to version 2.1.7 or later. If updating is not possible, immediate action such as contacting a web developer or hosting provider is recommended, as this vulnerability may be used in mass-exploit campaigns against thousands of websites [1].