CVE-2025-63055

The Master Addons for Elementor WordPress plugin, versions 2.0.9.9.4 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw falls under CWE-79 and enables an authenticated attacker with contributor-level privileges or higher to inject arbitrary JavaScript or HTML into pages rendered by the plugin [1].

Exploitation requires the attacker to have at least contributor-level access to the WordPress site, and user interaction (such as a victim visiting a crafted page or clicking a malicious link) is necessary for the injected payload to execute [1]. The attacker can store the malicious payload in a field that is later rendered without proper output sanitization, making it persistent.

Successful exploitation could allow an attacker to perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website [1]. The CVSSv3 base score is 6.5 (Medium), indicating moderate impact combined with the need for authenticated access and user interaction.

The vulnerability has been patched in version 2.1.0 of the plugin, and users are strongly advised to update immediately [1]. For sites unable to update, temporary mitigations include restricting contributor-level access and employing a web application firewall, though upgrading is the recommended solution [1].