CVE-2025-7646 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor plugin for WordPress, which includes Elementor Addons, Page Templates, Widgets, Mega Menu, and WooCommerce integrations. This vulnerability exists in all versions up to and including 6.3.10. The flaw arises from improper neutralization of input during web page generation, specifically via the 'custom script' parameter. An authenticated attacker with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages. These malicious scripts are then stored and executed whenever any user accesses the compromised page. Notably, this vulnerability can be exploited even if the user does not have the 'unfiltered_html' capability, which normally restricts script injection. The vulnerability is classified under CWE-79, indicating improper input sanitization leading to XSS. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (low), no user interaction, and a scope change. The impact includes limited confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability allows attackers to execute arbitrary scripts in the context of the affected site, potentially leading to session hijacking, defacement, or further attacks on users and administrators.

For European organizations using WordPress sites with The Plus Addons for Elementor plugin, this vulnerability poses a significant risk. Since Contributor-level users can exploit it, attackers could leverage compromised or malicious user accounts to inject persistent malicious scripts. This can lead to theft of session cookies, user credentials, or other sensitive data, undermining confidentiality. Integrity of website content can be compromised through unauthorized script execution, potentially damaging brand reputation and trust. Although availability is not directly impacted, successful exploitation could facilitate further attacks such as phishing or malware distribution. E-commerce sites using WooCommerce integrations are particularly at risk of customer data exposure or fraudulent transactions. Given the widespread use of WordPress and Elementor in Europe, especially among SMEs and digital agencies, the threat surface is considerable. The vulnerability's ability to bypass typical capability restrictions increases the risk of exploitation by insiders or attackers who have gained limited access. This could also affect compliance with GDPR if personal data is exposed or manipulated.

Organizations should immediately audit their WordPress installations to identify if The Plus Addons for Elementor plugin is in use and determine the version. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher user roles to trusted personnel only and review user accounts for suspicious activity. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'custom script' parameter. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4) Regularly monitor website content for unauthorized script tags or injected code. 5) Disable or restrict the use of the vulnerable plugin if feasible, or replace it with alternative, secure plugins. 6) Educate content contributors about the risks of injecting scripts and enforce strict input validation policies. 7) Prepare to apply vendor patches promptly once available. 8) Conduct security scans and penetration tests focusing on XSS vectors related to this plugin. These targeted actions go beyond generic advice by focusing on user role management, WAF tuning, CSP implementation, and proactive monitoring specific to the vulnerability's exploitation vector.