CVE-2025-8200
Description
The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Mega Elements Countdown Timer widget allows authenticated contributors to inject arbitrary web scripts; patched in version 1.3.3.
The vulnerability is a Stored Cross-Site Scripting (XSS) in the Countdown Timer widget of the Mega Elements – Addons for Elementor plugin for WordPress. The root cause is insufficient input sanitization and output escaping on user-supplied attributes, allowing attackers to inject arbitrary web scripts.
Exploitation requires an authenticated user with at least contributor-level access to WordPress. The attacker can embed malicious scripts in the Countdown Timer widget settings, which are stored and executed when any user views the compromised page.
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.
The vulnerability is patched in version 1.3.3, released on 2025-09-12, as noted in the plugin's changelog [1]. Users are advised to update to the latest version immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.