CVE-2025-8689

Vulnerability

Overview

The Elements Plus! plugin for WordPress, which extends the Elementor page builder with additional widgets, is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 2.16.4. The flaw resides in the Image Comparison, HotSpot Plus, and Google Maps widgets, where user-supplied attributes are not properly sanitized or escaped before being stored and later rendered. This insufficient input validation allows malicious HTML or JavaScript to be embedded in widget settings [1].

Exploitation

Prerequisites

An attacker must have at least Contributor-level access to a WordPress site using the WordPress site, which is the lowest role that can create and edit posts. The attacker can then inject arbitrary web scripts into the vulnerable widget attributes. When any user (including administrators or visitors) accesses a page containing the malicious widget, the injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation enables the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, defacing pages, or performing other client-side attacks. Because the XSS is stored, the payload persists on the server and affects all subsequent visitors to the compromised page, amplifying the potential damage [1].

Mitigation

The vendor has addressed this vulnerability in version 2.16.5 of the Elements Plus! users are strongly advised to update to the latest patched release immediately. No workarounds have been published, and the plugin's changelog confirms the fix [1].