CVE-2025-8150

The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 2.2.9. The flaw resides in the plugin's Typewriter and Countdown widgets, where user-supplied attributes are not properly sanitized or escaped before being stored and later rendered on pages. This insufficient input validation allows malicious HTML and JavaScript to be persisted in the database.

To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker can inject arbitrary web scripts through the vulnerable widget attributes when creating or editing a page or post. The injected payload is then executed in the browsers of any user who visits the affected page, including administrators and visitors.

The impact is the execution of attacker-controlled scripts in the context of the victim's session. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies and authentication tokens. The vulnerability does not require any special network position beyond being able to access the WordPress admin interface with contributor privileges.

As of the publication date, users are advised to update to a patched version if available. The vendor has not yet released a fix for version 2.2.9, but the plugin's development page [1] should be monitored for updates. In the meantime, restricting contributor-level access to trusted users and applying a web application firewall (WAF) rule to block XSS payloads may serve as temporary mitigations.