CVE-2025-9698

CVE-2025-9698 is a stored cross-site scripting (XSS) vulnerability in the Plus Addons for Elementor WordPress plugin (versions prior to 6.3.16). The root cause is the plugin's failure to properly sanitize SVG file contents uploaded by users. This oversight allows malicious JavaScript to be embedded within SVG files [1].

An attacker must have at least Author-level access to upload media, which is a standard role in WordPress. After uploading a crafted SVG file containing JavaScript, the malicious payload is stored on the server and later executed in the browser of any user (including administrators) when the SVG is rendered or previewed [1].

Successful exploitation enables an attacker to perform a wide range of actions in the context of the victim's session, such as modifying page content, stealing session cookies, or performing administrative actions without authorization. The CVSS v3 base score of 6.8 (Medium) reflects the requirement for authenticated access but the potential for high impact on confidentiality, integrity, and availability [1].

The vulnerability has been addressed in version 6.3.16 of the plugin. Administrators are strongly advised to update to this patched version or later. No workaround is currently available for older versions [1].