CVE-2025-8149 is a stored Cross-Site Scripting (XSS) vulnerability affecting the aThemes Addons for Elementor WordPress plugin, specifically in its Countdown widget. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79). The plugin fails to sufficiently sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the malicious scripts execute in their browsers within the context of the vulnerable website. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 1.1.2 of the plugin. The CVSS 3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, privileges of a contributor or above, no user interaction, and impacts confidentiality and integrity with a scope change (the vulnerability can affect other users beyond the attacker). No known exploits are currently reported in the wild. The vulnerability was published on September 6, 2025, and was reserved in July 2025. No official patches or updates are linked yet, indicating that users should be cautious and monitor for vendor updates. Since the vulnerability requires authenticated access at contributor level or above, it is not trivially exploitable by anonymous attackers, but it remains a significant risk in environments where multiple users have editing permissions. Stored XSS is particularly dangerous because the malicious payload persists on the server and affects all visitors to the infected page or post.

For European organizations using WordPress sites with the aThemes Addons for Elementor plugin, this vulnerability poses a risk of unauthorized script execution leading to data theft, session hijacking, or defacement. Organizations with multi-user content management workflows are especially vulnerable since contributors can inject malicious code. This can result in compromised user accounts, leakage of sensitive information, and damage to brand reputation. The confidentiality and integrity of website content and user data are at risk, though availability is not directly impacted. Attackers could leverage this vulnerability to conduct phishing campaigns or spread malware by injecting malicious scripts into trusted websites. Given the widespread use of WordPress in Europe for corporate, governmental, and e-commerce sites, the threat could affect a broad range of sectors. The medium severity score suggests a moderate but non-negligible risk, particularly for organizations lacking strict access controls or monitoring. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability should be treated proactively to prevent future exploitation.

European organizations should immediately audit their WordPress installations to identify the presence of the aThemes Addons for Elementor plugin, especially versions up to 1.1.2. Until an official patch is released, organizations should restrict contributor-level access to trusted users only and review existing user permissions to minimize the number of users who can inject content. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections in the Countdown widget parameters can provide interim protection. Additionally, organizations should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on their websites. Regularly monitoring website content for unauthorized changes and scanning for XSS payloads can help detect exploitation attempts early. Once the vendor releases a patch, prompt updating of the plugin is critical. Organizations should also educate content contributors about the risks of injecting untrusted code and enforce strict input validation policies where possible. Backup procedures should be reviewed to ensure quick recovery in case of compromise.