CVE-2025-8199 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Marquee Addons for Elementor – Advanced Elements & Modern Motion Widgets WordPress plugin developed by debuggersstudio. The vulnerability exists in the Testimonial Marquee widget due to improper neutralization of user-supplied input during web page generation. Specifically, the plugin fails to adequately sanitize and escape attributes submitted by authenticated users with contributor-level permissions or higher. This allows these users to inject arbitrary JavaScript code that is stored persistently and executed in the browsers of any visitors who load the affected pages. The vulnerability affects all versions up to and including 2.4.3. Exploitation requires no user interaction beyond page viewing but does require authenticated access with contributor or higher privileges, which are common in multi-author WordPress sites. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No public exploits have been reported yet. The vulnerability can lead to session hijacking, unauthorized actions on behalf of users, defacement, or distribution of malware. The scope is limited to sites using this specific plugin and widget, but given WordPress’s widespread use, the potential reach is significant. The vulnerability was reserved in July 2025 and published in December 2025. No official patches were linked at the time of reporting, so mitigation relies on plugin updates or manual hardening.

The primary impact of CVE-2025-8199 is on the confidentiality and integrity of affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of site visitors, potentially stealing session cookies, performing actions on behalf of users, or redirecting users to malicious sites. This can lead to account compromise, data theft, defacement, or distribution of malware. Although availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. Sites with multiple contributors or public-facing testimonial widgets are particularly vulnerable. The attack complexity is low once contributor access is obtained, which is a common permission level in collaborative environments. The vulnerability could be leveraged as a foothold for further attacks within an organization’s web infrastructure. Given WordPress’s dominant market share in content management systems, the potential scale of impact is substantial, especially for organizations relying on this plugin for advanced UI elements.

1. Immediately update the Marquee Addons for Elementor plugin to the latest version once a patch addressing CVE-2025-8199 is released by debuggersstudio. 2. Until an official patch is available, restrict contributor-level access to trusted users only and review user roles to minimize unnecessary privileges. 3. Implement strict input validation and output encoding on all user-supplied data within the plugin’s widget configurations, either by applying custom filters or using security plugins that sanitize inputs. 4. Employ a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected widget parameters. 5. Regularly audit and monitor WordPress logs for suspicious activity, especially changes to testimonial widgets or unusual script injections. 6. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 7. Consider disabling or replacing the vulnerable widget with alternative solutions that follow secure coding practices. 8. Conduct periodic security assessments and penetration tests focusing on plugin vulnerabilities and user privilege abuse.