The yeashir Anber Elementor Addon plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-7440. This vulnerability exists due to improper neutralization of input during web page generation, specifically through the $item['button_link']['url'] parameter. Versions up to and including 1.0.1 fail to adequately sanitize and escape this input, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the victim’s session. The vulnerability requires authentication but no user interaction to trigger, and the attack complexity is low. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to impact on other users. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those with multiple contributors. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The lack of a patch at the time of publication increases the urgency for mitigation. This vulnerability can compromise confidentiality and integrity but does not affect availability directly.

The primary impact of CVE-2025-7440 is the potential compromise of user confidentiality and integrity on affected WordPress sites. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors or administrators, enabling theft of session cookies, credentials, or other sensitive information. This can lead to account takeover, unauthorized actions performed on behalf of users, and further compromise of the website’s security posture. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls, but many WordPress sites allow contributors or editors, increasing the attack surface. The scope of impact extends beyond the attacker’s account to all users who view the infected pages, amplifying the potential damage. Although availability is not directly affected, the reputational damage and potential data breaches can have severe operational and financial consequences. Organizations relying on this plugin for content management may face increased risk of targeted attacks, especially if the site hosts sensitive or high-value content. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks once exploit code becomes available.

1. Immediately restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious input injection. 2. Implement strict input validation and output encoding on all user-supplied data, especially the $item['button_link']['url'] parameter, to neutralize potentially malicious scripts. 3. Monitor website content for unexpected or suspicious script tags or injected code, using automated scanning tools or manual audits. 4. Apply web application firewall (WAF) rules that detect and block common XSS payloads targeting this plugin’s parameters. 5. Encourage the plugin vendor to release a security patch and apply it promptly once available. 6. Educate site administrators and contributors about the risks of XSS and safe content management practices. 7. Consider disabling or replacing the Anber Elementor Addon plugin if immediate patching is not feasible. 8. Regularly update WordPress core and all plugins to reduce exposure to known vulnerabilities. 9. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 10. Conduct periodic security assessments focusing on user input handling and privilege management.