CVE-2025-8687 is a stored Cross-Site Scripting vulnerability identified in the Enter Addons – Ultimate Template Builder for Elementor WordPress plugin, affecting all versions up to and including 2.2.7. The vulnerability arises from improper neutralization of user-supplied input in the Countdown and Image Comparison widgets, where insufficient input sanitization and lack of output escaping allow authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently within the website content and executes in the context of any user who views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or higher), no user interaction, and a scope change due to potential impact on other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those allowing multiple contributors or editors. The vulnerability is categorized under CWE-79, which is a common and well-understood class of web application security flaws. The plugin is widely used in conjunction with Elementor, a popular WordPress page builder, increasing the potential attack surface. The lack of a patch at the time of reporting necessitates immediate attention to mitigate risk.

For European organizations, this vulnerability can lead to unauthorized script execution within their web environments, potentially resulting in session hijacking, defacement, phishing, or unauthorized actions performed under the guise of legitimate users. Organizations relying on WordPress sites with multiple contributors or editors are particularly vulnerable, as attackers only need contributor-level access to exploit the flaw. This could lead to data leakage, reputational damage, and compliance issues under GDPR if personal data is compromised. The medium severity score reflects moderate impact, but the scope change indicates that the compromise of one user’s privileges can affect others, amplifying the risk. Given the widespread use of WordPress and Elementor in Europe, especially among SMEs and content-heavy websites, the threat could affect a broad range of sectors including e-commerce, media, education, and government portals. The lack of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. The vulnerability’s exploitation does not affect availability but impacts confidentiality and integrity of web content and user sessions.

1. Monitor the vendor’s announcements closely and apply security patches or updates as soon as they become available for the Enter Addons plugin. 2. Until a patch is released, restrict contributor-level access and review user roles to minimize the number of users who can inject content. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection attempts targeting the vulnerable widgets. 4. Conduct regular security audits and code reviews of user-generated content, especially in the Countdown and Image Comparison widgets. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation on the application side where possible. 7. Consider disabling or replacing the vulnerable widgets if they are not essential to site functionality until a fix is available. 8. Maintain regular backups of website data to enable quick restoration in case of compromise.