CVE-2025-8199 is a stored cross-site scripting (XSS) vulnerability identified in the Marquee Addons for Elementor – Advanced Elements & Modern Motion Widgets WordPress plugin developed by debuggersstudio. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the Testimonial Marquee widget. All versions up to and including 2.4.3 are affected. The root cause is insufficient input sanitization and output escaping of user-supplied attributes, allowing authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the affected site context. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple contributors. The vulnerability was published on December 13, 2025, and no official patches or updates are currently linked, necessitating proactive mitigation steps.

For European organizations, this vulnerability can lead to significant risks including unauthorized access to user sessions, data leakage, and potential defacement or manipulation of website content. Organizations relying on WordPress sites with the Marquee Addons plugin are at risk of attackers injecting malicious scripts that execute in the browsers of site visitors or administrators, potentially compromising sensitive information or enabling further attacks such as phishing or malware distribution. The requirement for contributor-level access means insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The impact is particularly critical for organizations with public-facing websites that handle user data or provide interactive content, such as e-commerce, media, and government portals. The vulnerability does not affect availability directly but undermines trust and confidentiality, which can lead to reputational damage and regulatory compliance issues under GDPR if personal data is exposed.

1. Monitor for and apply updates from debuggersstudio promptly once a patch addressing CVE-2025-8199 is released. 2. Until a patch is available, restrict contributor-level permissions to trusted users only and review existing contributor accounts for suspicious activity. 3. Implement a Web Application Firewall (WAF) with robust XSS filtering rules to detect and block malicious script injections targeting the affected widget. 4. Conduct regular security audits and code reviews of user-generated content, especially in testimonial or marquee widgets. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6. Educate content contributors about the risks of injecting untrusted code and enforce strict input validation policies. 7. Consider temporarily disabling or replacing the vulnerable widget if feasible until a secure version is available. 8. Monitor logs for unusual activity related to the plugin or contributor accounts to detect exploitation attempts early.