CVE-2025-14149: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xpro Xpro Addons — 140+ Widgets for Elementor
CVE-2025-14149 is a stored cross-site scripting (XSS) vulnerability in the Xpro Addons — 140+ Widgets for Elementor WordPress plugin, affecting all versions up to 1. 4. 24. The flaw exists in the Image Scroller widget's box link attribute, where insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the compromised page, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability requires no user interaction beyond visiting the injected page but does require authenticated access with contributor privileges. The CVSS score is 6. 4 (medium severity), reflecting the moderate impact on confidentiality and integrity without affecting availability. No known public exploits have been reported yet. Organizations using this plugin should prioritize patching or applying mitigations to prevent exploitation, especially in environments with multiple contributors.
AI Analysis
Technical Summary
CVE-2025-14149 is a stored cross-site scripting (XSS) vulnerability identified in the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress, which is widely used to enhance Elementor page builder functionality. The vulnerability specifically affects the Image Scroller widget's box link attribute, where the plugin fails to properly sanitize and escape user-supplied input. This improper neutralization of input (classified under CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes automatically in the browsers of any users who visit the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 1.4.24. Exploitation requires authentication with contributor or higher privileges but does not require user interaction beyond page viewing. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No patches or official fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors who can inject content. Attackers could leverage this flaw to conduct targeted attacks, deface websites, or steal sensitive information from site visitors.
Potential Impact
The impact of CVE-2025-14149 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the vulnerable website, potentially leading to session hijacking, theft of authentication cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised page, increasing the attack surface. Organizations relying on the Xpro Addons plugin for Elementor, especially those with multiple contributors or editors, face increased risk of insider or compromised user exploitation. While availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. The medium CVSS score reflects the need for timely remediation but indicates that exploitation requires some privileges, limiting the attacker's initial access vector. Nonetheless, the widespread use of WordPress and Elementor, combined with the popularity of this plugin, means that many websites globally could be affected, amplifying the potential impact.
Mitigation Recommendations
To mitigate CVE-2025-14149, organizations should first verify if they use the Xpro Addons — 140+ Widgets for Elementor plugin and identify the version in use. Since no official patch is currently available, immediate mitigation steps include restricting contributor-level and higher permissions to trusted users only, minimizing the number of users who can inject content. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections targeting the Image Scroller widget's link attribute can help reduce risk. Site administrators should audit existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can limit the impact of XSS by restricting the sources from which scripts can be loaded. Monitoring logs for unusual activity or changes in widget content can provide early detection of exploitation attempts. Once a patch or update is released by the vendor, promptly apply it. Additionally, educating contributors about safe content practices and the risks of injecting untrusted code can reduce accidental exploitation. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, India, Brazil, France, Netherlands, Japan, Italy
CVE-2025-14149: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xpro Xpro Addons — 140+ Widgets for Elementor
Description
CVE-2025-14149 is a stored cross-site scripting (XSS) vulnerability in the Xpro Addons — 140+ Widgets for Elementor WordPress plugin, affecting all versions up to 1. 4. 24. The flaw exists in the Image Scroller widget's box link attribute, where insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject malicious scripts. These scripts execute whenever any user views the compromised page, potentially leading to session hijacking, defacement, or other malicious actions. The vulnerability requires no user interaction beyond visiting the injected page but does require authenticated access with contributor privileges. The CVSS score is 6. 4 (medium severity), reflecting the moderate impact on confidentiality and integrity without affecting availability. No known public exploits have been reported yet. Organizations using this plugin should prioritize patching or applying mitigations to prevent exploitation, especially in environments with multiple contributors.
AI-Powered Analysis
Technical Analysis
CVE-2025-14149 is a stored cross-site scripting (XSS) vulnerability identified in the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress, which is widely used to enhance Elementor page builder functionality. The vulnerability specifically affects the Image Scroller widget's box link attribute, where the plugin fails to properly sanitize and escape user-supplied input. This improper neutralization of input (classified under CWE-79) allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes automatically in the browsers of any users who visit the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability affects all versions up to and including 1.4.24. Exploitation requires authentication with contributor or higher privileges but does not require user interaction beyond page viewing. The CVSS 3.1 base score is 6.4, indicating a medium severity level, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to affecting other users. No patches or official fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or editors who can inject content. Attackers could leverage this flaw to conduct targeted attacks, deface websites, or steal sensitive information from site visitors.
Potential Impact
The impact of CVE-2025-14149 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary scripts in the context of the vulnerable website, potentially leading to session hijacking, theft of authentication cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who visit the compromised page, increasing the attack surface. Organizations relying on the Xpro Addons plugin for Elementor, especially those with multiple contributors or editors, face increased risk of insider or compromised user exploitation. While availability is not directly impacted, the reputational damage and potential data breaches can have significant operational and financial consequences. The medium CVSS score reflects the need for timely remediation but indicates that exploitation requires some privileges, limiting the attacker's initial access vector. Nonetheless, the widespread use of WordPress and Elementor, combined with the popularity of this plugin, means that many websites globally could be affected, amplifying the potential impact.
Mitigation Recommendations
To mitigate CVE-2025-14149, organizations should first verify if they use the Xpro Addons — 140+ Widgets for Elementor plugin and identify the version in use. Since no official patch is currently available, immediate mitigation steps include restricting contributor-level and higher permissions to trusted users only, minimizing the number of users who can inject content. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injections targeting the Image Scroller widget's link attribute can help reduce risk. Site administrators should audit existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can limit the impact of XSS by restricting the sources from which scripts can be loaded. Monitoring logs for unusual activity or changes in widget content can provide early detection of exploitation attempts. Once a patch or update is released by the vendor, promptly apply it. Additionally, educating contributors about safe content practices and the risks of injecting untrusted code can reduce accidental exploitation. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-05T19:14:30.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a1438e32ffcdb8a2fbeb00
Added to database: 2/27/2026, 7:11:10 AM
Last enriched: 2/27/2026, 7:27:26 AM
Last updated: 2/27/2026, 8:12:18 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27776: Deserialization of untrusted data in NTT DATA INTRAMART Corporation intra-mart Accel Platform
HighCVE-2026-0980: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Red Hat Red Hat Satellite 6
HighCVE-2026-0871: Incorrect Privilege Assignment in Red Hat Red Hat build of Keycloak 26.4
MediumCVE-2025-9909: Use of Non-Canonical URL Paths for Authorization Decisions in Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8
MediumCVE-2025-9908: Exposure of Sensitive Information to an Unauthorized Actor in Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.