CVE-2025-8874 is a stored cross-site scripting (XSS) vulnerability identified in the WordPress plugin Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations, developed by litonice13. This vulnerability affects all versions up to and including 2.0.8.6. The root cause is insufficient input sanitization and output escaping in several widgets, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute every time any user views the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common and dangerous web security flaw. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches or fixes are currently available, and no known exploits have been reported in the wild. The vulnerability affects a widely used WordPress plugin that enhances Elementor page builder functionality, making it relevant to many websites relying on this plugin for advanced widgets and animations. The vulnerability's exploitation requires authenticated access at Contributor level, which is a relatively low privilege level in WordPress, increasing the risk in environments where contributor accounts are common or easily compromised.

The impact of CVE-2025-8874 is significant for organizations using the affected WordPress plugin, as it enables attackers with relatively low privileges to inject persistent malicious scripts into web pages. This can lead to session hijacking, theft of sensitive user information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. Since the scripts execute in the context of any user visiting the compromised page, including administrators, the attack surface is broad. This can undermine user trust, damage brand reputation, and lead to data breaches or compliance violations. The vulnerability does not directly affect availability but compromises confidentiality and integrity. Organizations with contributor-level users or public-facing content management workflows are particularly at risk. Additionally, the widespread use of WordPress and Elementor-based plugins globally means a large number of websites could be targeted, increasing the potential scale of impact.

To mitigate CVE-2025-8874, organizations should implement the following specific measures: 1) Immediately review and restrict Contributor-level user permissions to trusted individuals only, minimizing the risk of malicious script injection. 2) Monitor and audit content submitted by contributors for suspicious or unexpected JavaScript code, using automated scanning tools where possible. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting the vulnerable widgets. 4) Disable or remove the affected widgets from the Master Addons plugin if feasible until a security patch is released. 5) Keep WordPress core, themes, and all plugins updated and subscribe to security advisories from the plugin vendor and WordPress security teams. 6) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 7) Educate content contributors about secure content practices and the risks of injecting untrusted code. These targeted actions go beyond generic advice by focusing on access control, content monitoring, and layered defenses specific to this plugin's vulnerability.