CVE-2025-8564

The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 3.7. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes across multiple widgets, including Image Accordion, Event Calendar, Image Stack, and others [1]. This allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts.

An attacker must have contributor-level or higher permissions to exploit this vulnerability. By editing a page or post using Elementor with a vulnerable widget, the attacker can supply malicious attributes that are stored in the database. When a victim visits the affected page, the injected script executes in their browser. The plugin's changelog indicates that the issue was addressed in version 3.8, where the affected widgets were refactored to resolve the Wordfence-reported vulnerability [1].

The impact of successful exploitation includes the ability to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, website defacement, redirection to malicious sites, or theft of sensitive information such as cookies or authentication tokens. Since the script is stored on the server, every user who views the injected page is affected.

Users are strongly advised to update the SKT Addons for Elementor plugin to version 3.8 or later, as this release contains the necessary security fixes. The vendor's changelog confirms that the vulnerability was addressed in version 3.8 [1]. No workaround is available other than updating or disabling the affected widgets.