CVE-2025-7646 is a stored cross-site scripting (XSS) vulnerability identified in The Plus Addons for Elementor plugin for WordPress, which provides addons, page templates, widgets, mega menu, and WooCommerce integration. The vulnerability exists in all versions up to and including 6.3.10 and arises from improper neutralization of input during web page generation, specifically via the custom script parameter. Unlike many XSS vulnerabilities that require high-level privileges, this flaw can be exploited by authenticated users with Contributor-level access or above, even if they lack the unfiltered_html capability. This means that attackers with relatively low privileges can inject arbitrary JavaScript code into pages, which will then execute in the browsers of any users who visit those pages, potentially leading to session hijacking, data theft, or further compromise of the site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low attack complexity, requiring privileges but no user interaction. The scope is changed, as the vulnerability affects other users beyond the attacker. No public exploits have been reported to date, but the risk remains significant due to the widespread use of this plugin in WordPress environments. The vulnerability stems from insufficient input validation and output encoding in the plugin’s handling of the custom script parameter, allowing malicious scripts to be stored and later executed in victim browsers. This type of vulnerability is classified under CWE-79, which is a common and impactful web security weakness.

The impact of CVE-2025-7646 is primarily on the confidentiality and integrity of affected WordPress sites and their users. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the vulnerable website, which can lead to session hijacking, theft of sensitive user data (such as cookies and credentials), defacement, or redirection to malicious sites. Since the vulnerability is stored XSS, the malicious payload persists and affects all users who access the infected pages, amplifying the potential damage. Organizations running e-commerce sites or handling sensitive customer data via WooCommerce are at increased risk of financial and reputational damage. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the network or to distribute malware. The requirement for authenticated access at Contributor level limits the attack surface somewhat but does not eliminate risk, especially in environments with many users or weak access controls. The vulnerability affects a widely used WordPress plugin, increasing the potential global impact. Without mitigation, organizations face risks of data breaches, loss of customer trust, and compliance violations related to data protection regulations.

To mitigate CVE-2025-7646, organizations should immediately update The Plus Addons for Elementor plugin to a patched version once available. Until a patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output encoding on all user-supplied data, especially the custom script parameter, to prevent script injection. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this plugin. Regularly audit and monitor site content for unexpected script injections or modifications. Disable or limit the use of custom scripting features if not essential. Educate content contributors about the risks of injecting scripts and enforce least privilege principles. Additionally, consider deploying Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting the sources from which scripts can be loaded. Finally, maintain regular backups and have an incident response plan to quickly remediate any successful exploitation.