CVE-2025-6244 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress, maintained by wpdevteam. This vulnerability affects all plugin versions up to and including 6.1.19. The root cause is insufficient input sanitization and output escaping in the Calendar and Business Reviews widgets, which handle user-supplied attributes insecurely. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into these widget attributes. Because the vulnerability is stored, the malicious script persists in the database and executes in the browsers of any users who visit the affected pages. The CVSS 3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change due to the impact on other users. The vulnerability compromises confidentiality and integrity by enabling script execution that can steal session tokens, deface content, or perform unauthorized actions on behalf of users. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability is particularly concerning for WordPress sites that allow multiple contributors or editors to add content, as it expands the attack surface to less trusted users. The plugin's popularity means a significant number of websites could be affected globally, especially those using Elementor-based page builders.

The impact of CVE-2025-6244 is significant for organizations using the Essential Addons for Elementor plugin, particularly those with multiple content contributors. Exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors and administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions, and website defacement. This can damage organizational reputation, lead to data breaches, and compromise user trust. Since the vulnerability requires authenticated access at Contributor level or higher, organizations with less restrictive content management policies are at higher risk. The scope change means the attack affects more users than just the attacker, increasing the potential damage. Although no known exploits are reported yet, the medium severity and ease of exploitation (low complexity) suggest attackers could develop exploits quickly. This vulnerability also poses risks to e-commerce sites, membership portals, and any WordPress-based service relying on this plugin, potentially affecting business continuity and compliance with data protection regulations.

To mitigate CVE-2025-6244, organizations should immediately review and restrict user roles and permissions, limiting Contributor-level access to trusted users only. Implement strict input validation and output encoding on all user-supplied data within the affected widgets, especially the Calendar and Business Reviews attributes. Monitor website content for unexpected script injections and unusual behavior. Employ Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting these widgets. Regularly audit and update all WordPress plugins, and apply security patches as soon as they become available from the vendor. Consider temporarily disabling the affected widgets or the entire Essential Addons plugin if patching is not immediately possible. Educate content contributors about safe content practices and the risks of injecting untrusted code. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.