CVE-2025-5284 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations' developed by litonice13. This vulnerability affects all versions up to and including 2.0.8.2. The root cause is insufficient capability restriction combined with inadequate input sanitization and output escaping in the Custom JS extension feature of the plugin. An authenticated attacker with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's browser session. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the Contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits are reported in the wild yet, and no official patches have been linked at the time of publication. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using WordPress websites with the affected Master Addons plugin, this vulnerability poses a significant risk to web application security. Exploitation can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. This can compromise user data confidentiality and integrity, damage organizational reputation, and potentially lead to regulatory non-compliance under GDPR due to data breaches. Since Contributor-level access is required, insider threats or compromised lower-privileged accounts can be leveraged to escalate attacks. The persistent nature of stored XSS means that once injected, the malicious code can affect all visitors to the compromised pages, increasing the attack surface. The lack of user interaction requirement further lowers the barrier for successful exploitation. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce sites, the vulnerability could impact a broad range of sectors. However, the absence of known exploits in the wild currently reduces immediate risk but does not eliminate the need for proactive mitigation.

European organizations should immediately audit their WordPress installations to identify the presence of the Master Addons plugin and verify the version in use. Until an official patch is released, organizations should consider disabling the Custom JS extension feature or the entire plugin if feasible. Restrict Contributor-level access strictly, ensuring that only trusted users have such privileges, and review user roles and permissions regularly. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns targeting the affected plugin. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough input validation and output encoding on all user-supplied data, especially in custom JavaScript fields. Monitor logs for unusual activity related to plugin usage and user privilege escalations. Once a patch becomes available, prioritize immediate testing and deployment. Additionally, educate site administrators and developers about secure coding practices to prevent similar vulnerabilities in custom extensions.