CVE-2025-8100 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Element Pack Addons for Elementor plugin developed by bdthemes, which provides Mega Menu, Header Footer, Dynamic Builder, and Ready Templates functionalities for WordPress sites. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 'marker_content' parameter. Versions up to and including 8.1.5 fail to adequately sanitize and escape this parameter, allowing authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code. When a user accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the victim. The vulnerability requires no user interaction beyond visiting the affected page but does require authenticated access, limiting the attacker scope to users with some level of trust on the site. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector as network, low attack complexity, privileges required at the level of contributor, no user interaction, and impacts on confidentiality and integrity but not availability. No public exploits are currently known, but the vulnerability poses a significant risk to multi-user WordPress environments using this plugin. The lack of available patches at the time of publication necessitates immediate attention to mitigate risk.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users who visit those pages. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including potentially higher-privileged accounts if session tokens are compromised. It may also allow attackers to perform actions on behalf of other users, deface websites, or distribute malware. Since the vulnerability affects the confidentiality and integrity of user data and site content, organizations face risks of data breaches, reputational damage, and loss of user trust. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but in environments with many contributors or less stringent access controls, the risk is elevated. The vulnerability does not impact availability directly but can indirectly cause service disruption through defacement or administrative lockout. Organizations worldwide using WordPress with this plugin are at risk, especially those with collaborative content management workflows.

Organizations should immediately audit their WordPress installations to identify usage of the Element Pack Addons for Elementor plugin, particularly versions up to 8.1.5. Since no official patches are currently available, administrators should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Restrict contributor-level permissions to trusted users only and review existing contributor accounts for signs of compromise. Implement Web Application Firewall (WAF) rules that detect and block suspicious input patterns targeting the 'marker_content' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor website logs for unusual activity or unexpected content changes. Educate contributors about the risks of injecting untrusted content and enforce strict input validation policies. Once a patch is released, prioritize prompt updating of the plugin. Additionally, consider isolating contributor privileges by using role management plugins that enforce least privilege principles.