Medium severity6.4NVD Advisory· Published Aug 24, 2025· Updated Apr 15, 2026

CVE-2025-8208

Description

The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Spexo Addons for Elementor's Countdown widget allows contributor+ users to inject arbitrary scripts, executing on any page view.

The Spexo Addons for Elementor plugin, which extends Elementor with widgets and tools [1], contains a Stored Cross-Site Scripting (XSS) vulnerability in its Countdown widget. The issue stems from insufficient input sanitization and output escaping on user-supplied attributes, affecting all versions up to and including 1.0.23.

Authenticated attackers with contributor-level access or higher can exploit this flaw by crafting malicious input in the widget attributes. When a page containing the vulnerable widget is viewed by any user, the injected script executes in the context of the victim's browser.

Successful exploitation enables arbitrary JavaScript execution, which can lead to session hijacking, website defacement, or redirection to malicious sites. This poses a risk to site integrity and user privacy, especially on multi-author WordPress sites.

As of the publication date, users are advised to update to a patched version beyond 1.0.23 if available, or apply any vendor-supplied fixes. Mitigation may also involve restricting contributor-level access or disabling the vulnerable widget until a patch is applied.

References

Spexo Addons for Elementor – Elementor Widgets, Mega Menu, Popup Builder, Template Kits and Starter Templates for Elementor

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Sastra Essential Addons For Elementorreferences
Package: https://wordpress.org/plugins/sastra-essential-addons-for-elementor
Livemeshelementor/Addons For Elementorllm-fuzzy
Range: <=1.0.23

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000