CVE-2025-8196

Vulnerability

Overview

CVE-2025-8196 is a stored cross-site scripting (XSS) vulnerability in the Magical Addons For Elementor plugin for WordPress, versions up to and including 1.3.8. The plugin's Custom Attributes feature fails to properly sanitize user-supplied input and escape output, allowing authenticated attackers with at least contributor-level access to inject arbitrary web scripts. These scripts are stored on the server and execute when any user visits the affected page [1].

Exploitation

Vector

An attacker must be an authenticated WordPress user with contributor-level privileges or higher. The vulnerability is triggered through the plugin's Custom Attributes functionality, which is exposed in the Elementor editor. Because the plugin does not sufficiently filter or escape user-supplied attribute values, an attacker can craft a malicious attribute containing JavaScript code. No special network access or additional authentication bypass is required beyond the contributor role [1].

Impact

Successful exploitation results in persistent XSS that executes in the context of the victim's browser. Any user—including administrators—who views the page containing the injected attribute will have the attacker's script executed, potentially leading to session hijacking, credential theft, defacement, or further compromise of the WordPress installation [1].

Mitigation

The vendor has released a patched version (1.3.9 or later) that addresses the insufficient sanitization and escaping. Users of the Magical Addons For Elementor plugin are strongly advised to update to the latest version immediately. No security workaround is available for unpatched installations [1].