CVE-2025-7498 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Exclusive Addons for Elementor plugin for WordPress, specifically within the Countdown Widget component. The vulnerability exists due to improper neutralization of input during web page generation, classified under CWE-79. It affects all versions up to and including 2.7.9.4. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages via the vulnerable widget. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed as the vulnerability affects resources beyond the attacker’s privileges due to script execution in other users’ browsers. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the risks of insufficient input validation and output encoding in WordPress plugins that handle user-generated content.

This vulnerability can lead to significant security risks for organizations using the Exclusive Addons for Elementor plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of the affected website, potentially leading to session hijacking, theft of sensitive user data, defacement, or redirection to malicious sites. Since the vulnerability requires only Contributor-level access, attackers do not need administrative privileges, broadening the threat landscape within multi-user WordPress environments. The persistent nature of stored XSS means that all visitors to the compromised pages are at risk, increasing the potential impact. This can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. The medium CVSS score reflects a moderate but tangible risk, especially for websites with high traffic or sensitive user bases. The absence of known exploits in the wild suggests limited current exploitation but also underscores the importance of proactive mitigation before attackers develop weaponized payloads.

Organizations should immediately review user roles and permissions to restrict Contributor-level access to trusted users only, minimizing the risk of exploitation. Applying the latest plugin updates or patches from the vendor as soon as they become available is critical. In the absence of official patches, administrators can implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the Countdown Widget input fields. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security audits and scanning for XSS vulnerabilities in WordPress plugins should be conducted. Additionally, sanitizing and escaping all user inputs and outputs in custom code or plugin extensions is essential. Monitoring website logs for unusual activity or unexpected script injections can provide early detection of exploitation attempts. Finally, educating site administrators and users about the risks of XSS and safe content management practices will reduce the attack surface.