CVE-2025-0433 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations, developed by litonice13. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'id' parameter, which is not adequately sanitized or escaped before being rendered. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages managed by the plugin. Because the malicious script is stored persistently, it executes automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to 2.0.7.1 inclusive. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network exploitability with low attack complexity, requiring privileges but no user interaction, and a scope change due to the impact extending beyond the vulnerable component. The impact primarily affects confidentiality and integrity, with no direct availability impact. No patches or official fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability was reserved in January 2025 and published in March 2025 by Wordfence. This plugin is widely used in WordPress sites leveraging Elementor for enhanced page building capabilities.

The vulnerability enables attackers with Contributor-level access to inject persistent malicious scripts, which execute in the context of any user viewing the compromised page. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential site defacement. Since Contributor-level users can typically create and edit content but not publish, the risk is elevated in environments where such users are trusted or where privilege escalation is possible. The scope change in the CVSS vector indicates that the impact extends beyond the plugin to other components or users interacting with the infected content. While availability is not directly affected, the confidentiality and integrity of user data and site content are at risk. Organizations relying on this plugin for their WordPress sites may face reputational damage, data breaches, and compliance issues if exploited. The lack of a patch increases the window of exposure, necessitating immediate mitigation steps.

1. Immediately restrict Contributor-level and higher access to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Implement strict content review and approval workflows to detect and prevent malicious script injection by contributors. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'id' parameter or typical XSS patterns in requests to the plugin. 4. Monitor logs and user activity for unusual behavior indicative of exploitation attempts, such as unexpected script insertions or content changes. 5. Disable or remove the Master Addons plugin temporarily if feasible until an official patch is released. 6. Educate site administrators and content contributors about the risks and signs of XSS attacks. 7. Upon patch release, promptly update the plugin to the fixed version. 8. Consider implementing Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. 9. Regularly audit all plugins and themes for vulnerabilities and maintain an up-to-date inventory to prioritize patching and risk management.