CVE-2025-8451 is a DOM-based stored Cross-Site Scripting (XSS) vulnerability identified in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress, maintained by wpdevteam. The vulnerability exists in all versions up to and including 6.2.2 due to improper neutralization of input during web page generation, specifically via the 'data-gallery-items' parameter. Authenticated attackers with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages by manipulating this parameter. Because the vulnerability is DOM-based and stored, the malicious script persists on the server and executes in the context of any user who accesses the infected page. This can lead to theft of cookies, session tokens, or other sensitive information, as well as unauthorized actions performed on behalf of users. The vulnerability stems from insufficient input sanitization and lack of proper output escaping, violating CWE-79 standards. Exploitation does not require user interaction but does require authenticated access with limited privileges, which lowers the barrier compared to administrator-only vulnerabilities. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No public exploits are known at this time, but the widespread use of Elementor and its addons in WordPress sites makes this a significant concern for website administrators. The vulnerability was published on August 15, 2025, and is tracked under CVE-2025-8451.

The impact of CVE-2025-8451 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of site visitors, potentially leading to session hijacking, defacement, phishing, or unauthorized actions performed with the victim’s privileges. Since the vulnerability requires only Contributor-level access, attackers who gain such access through other means (e.g., weak credentials, social engineering) can leverage this flaw to escalate their impact. The stored nature of the XSS means the malicious payload persists and affects all users who visit the compromised pages, increasing the attack surface. While availability is not directly impacted, the reputational damage and potential data breaches can have severe consequences for organizations. Given the popularity of Elementor and its addons, many websites globally could be affected, including corporate, e-commerce, and informational sites. This could lead to data leakage, loss of customer trust, and regulatory compliance issues, especially in regions with strict data protection laws.

To mitigate CVE-2025-8451, organizations should immediately update the Essential Addons for Elementor plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict Contributor-level access to trusted users only and audit existing user roles to minimize risk. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'data-gallery-items' parameter can provide temporary protection. Additionally, site owners should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for unusual activity can help detect exploitation attempts early. Educating users about phishing and credential security reduces the risk of attackers gaining initial access. Finally, adopting a defense-in-depth approach by combining least privilege principles, input validation, and output encoding in custom code will reduce the impact of similar vulnerabilities.