CVE-2025-31823 is a stored cross-site scripting (XSS) vulnerability identified in the WPoperation Elementor Addons WordPress plugin, specifically affecting versions up to 1.1.9. The root cause is improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the affected site. When other users or administrators visit the compromised pages, the injected script executes in their browsers within the context of the vulnerable site. This can lead to a range of malicious outcomes including session hijacking, theft of cookies or credentials, unauthorized actions performed on behalf of users, and defacement of the website. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input to the vulnerable plugin's interface. Although no public exploits or active attacks have been reported yet, the presence of stored XSS in a widely used WordPress plugin is a critical concern given the popularity of WordPress and Elementor-based sites. The vulnerability affects all installations using WPoperation Elementor Addons up to version 1.1.9, and no patch links are currently available, indicating that users must remain vigilant for vendor updates. The lack of a CVSS score necessitates an independent severity assessment based on the potential impact and exploitability. Stored XSS vulnerabilities are among the most dangerous client-side attacks due to their persistence and ability to affect multiple users. The vulnerability was reserved and published on April 1, 2025, by Patchstack, a known assigner for WordPress plugin vulnerabilities.

The impact of CVE-2025-31823 is significant for organizations using the WPoperation Elementor Addons plugin on their WordPress sites. Successful exploitation can compromise the confidentiality and integrity of user data by enabling attackers to steal session cookies, credentials, or other sensitive information. It also threatens availability indirectly by allowing attackers to deface websites or inject malicious content that could lead to blacklisting by search engines or browsers. Since the vulnerability is stored XSS, the malicious payload persists and can affect multiple users over time, increasing the attack surface. The ease of exploitation without authentication means attackers can target any vulnerable site remotely. This can lead to reputational damage, loss of customer trust, and potential regulatory penalties if user data is compromised. E-commerce sites, membership portals, and any sites handling sensitive user information are particularly at risk. The widespread use of WordPress and Elementor-based plugins globally means that a large number of websites could be affected, amplifying the potential scale of impact.

Organizations should immediately audit their WordPress installations to identify if WPoperation Elementor Addons is installed and determine the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Implementing strict input validation and sanitization on all user inputs related to the plugin can reduce the risk of injection. Employing a robust Content Security Policy (CSP) can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Monitoring web server logs and user activity for unusual behavior or injected scripts is critical for early detection. Additionally, website owners should ensure that their WordPress core, themes, and other plugins are up to date to minimize overall attack surface. Once the vendor releases a patch, it should be applied immediately. Educating site administrators and users about the risks of XSS and safe browsing practices will also help reduce successful exploitation. Finally, consider using web application firewalls (WAFs) that can detect and block common XSS attack patterns targeting this plugin.