CVE-2025-8444
Description
DOM-based Stored XSS in Animation Addons for Elementor plugin allows authenticated users to inject scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOM-based Stored XSS in Animation Addons for Elementor plugin allows authenticated users to inject scripts.
Vulnerability
The Animation Addons for Elementor plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting. This vulnerability exists in all versions up to and including 2.6.7 due to insufficient input sanitization and output escaping.
Exploitation
An attacker with at least Contributor-level access can inject arbitrary web scripts into pages. These scripts will execute when a user accesses a page containing the injected content. The vulnerability is DOM-based, meaning the malicious script is executed by the victim's browser after it processes the injected content.
Impact
Successful exploitation allows an attacker to inject arbitrary web scripts, leading to the execution of these scripts within the context of the victim's browser session. This can result in various malicious actions, such as session hijacking, credential theft, or defacement, depending on the injected script.
Mitigation
The vulnerability is fixed in version 2.6.8. Users are advised to update to the latest version of the plugin. The plugin was last updated on 2026-06-08 [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.6.7+ 1 more
- (no CPE)range: <=2.6.7
- (no CPE)range: <=2.6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.