CVE-2025-8687

Vulnerability

Overview

The Enter Addons plugin for WordPress, up to version 2.2.7, contains a Stored Cross-Site Scripting (XSS) vulnerability in its Countdown and Image Comparison widgets. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within these widgets. This allows authenticated attackers to inject arbitrary web scripts that are stored on the server and executed when a page is created or updated [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have at least contributor-level access to the WordPress site. The attacker can then craft a page or post using the vulnerable widgets, embedding malicious JavaScript in the widget attributes. When any user (including administrators or visitors) accesses the affected page, the injected script executes in their browser context [1].

Impact

Successful exploitation leads to Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing the page, or performing other actions within the security context of the victim's browser. Because the script is stored, it persists across visits and can affect multiple users without requiring further interaction from the attacker [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to restrict contributor-level access to trusted individuals only, or to disable the vulnerable widgets until an alternative. The plugin is listed on the WordPress plugin repository, and updates may be provided in future versions [1].