CVE-2025-8779 is a stored cross-site scripting vulnerability identified in the All-in-One Addons for Elementor – WidgetKit plugin for WordPress, maintained by the vendor shamsbd71. This vulnerability affects all plugin versions up to and including 2.5.6. The root cause is improper neutralization of user-supplied input during web page generation, specifically within the Team and Countdown widgets. Authenticated attackers with contributor-level permissions or higher can inject arbitrary JavaScript code into pages by exploiting insufficient input sanitization and lack of output escaping. Once injected, the malicious scripts execute in the context of any user who visits the compromised page, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits are known at this time, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The vulnerability was reserved in August 2025 and published in December 2025. The lack of available patches at the time of publication necessitates immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a risk primarily to websites using the affected WordPress plugin, especially those with multiple contributors or editors who have contributor-level access or above. Successful exploitation can lead to session hijacking, unauthorized actions performed under the guise of legitimate users, defacement, or distribution of malware through compromised pages. This can result in reputational damage, data breaches involving user credentials or personal information, and potential regulatory non-compliance under GDPR if personal data is exposed or manipulated. The medium severity score reflects that while the vulnerability does not directly impact availability, the confidentiality and integrity of web sessions and data are at risk. Organizations with public-facing websites relying on this plugin may experience customer trust erosion and increased incident response costs. Given the widespread use of WordPress in Europe, the threat surface is considerable, particularly for sectors such as e-commerce, media, and government services that rely heavily on content management systems.

European organizations should immediately audit their WordPress installations to identify the presence of the All-in-One Addons for Elementor – WidgetKit plugin and verify the version in use. Until an official patch is released, restrict contributor-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the Team and Countdown widgets. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. Regularly monitor website content for unauthorized changes or injected scripts. Encourage developers and administrators to apply strict input validation and output encoding in custom code and plugins. Once a patch becomes available, prioritize its deployment in all affected environments. Additionally, conduct security awareness training for content contributors to recognize and avoid unsafe input practices. Finally, maintain comprehensive logging and monitoring to detect potential exploitation attempts promptly.