CVE-2025-8687 is a stored cross-site scripting (XSS) vulnerability identified in the Enter Addons – Ultimate Template Builder for Elementor WordPress plugin, specifically affecting all versions up to and including 2.2.7. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied attributes in its Countdown and Image Comparison widgets. This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially enabling session hijacking, privilege escalation, or other malicious actions. The vulnerability does not require user interaction beyond visiting the affected page and does not require higher than contributor privileges, which are commonly granted on many WordPress sites. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity with no availability impact. No public exploits or patches have been reported as of the publication date. The vulnerability affects a widely used WordPress plugin that extends Elementor, a popular page builder, thus potentially impacting a large number of websites globally.

The impact of CVE-2025-8687 is significant for organizations using the Enter Addons plugin with Elementor on WordPress. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the context of any user visiting the infected page. This can lead to theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since contributor-level access is often granted to content creators or external collaborators, the attack surface is broader than vulnerabilities requiring administrator privileges. The compromise of user sessions or integrity of website content can damage organizational reputation, lead to data breaches, and disrupt business operations. Although availability is not directly impacted, the confidentiality and integrity risks are moderate to high. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. Organizations with high-traffic websites or those handling sensitive user data are particularly at risk.

To mitigate CVE-2025-8687, organizations should immediately update the Enter Addons – Ultimate Template Builder for Elementor plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing user roles to minimize exposure. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the affected widgets can provide temporary protection. Additionally, site owners should review and sanitize existing content created via the Countdown and Image Comparison widgets to remove any injected scripts. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Regular security audits and monitoring for unusual user behavior or content changes are recommended. Finally, educating content contributors about safe input practices and the risks of injecting untrusted code can reduce accidental exploitation.