CVE-2025-8874 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations' developed by litonice13. This vulnerability exists in all versions up to and including 2.0.8.6. The root cause is insufficient input sanitization and output escaping in several widgets provided by the plugin. An attacker with at least Contributor-level privileges on a WordPress site can inject arbitrary malicious JavaScript code into pages generated by the plugin. Because the vulnerability is stored XSS, the malicious script is saved on the server and executed whenever any user visits the compromised page, potentially affecting all visitors. The CVSS v3.1 base score is 6.4 (medium severity), with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, requiring privileges (Contributor or higher), no user interaction, scope changed, and partial impact on confidentiality and integrity but no impact on availability. The vulnerability can lead to session hijacking, privilege escalation, defacement, or distribution of malware via injected scripts. No known exploits in the wild have been reported yet, and no official patches or updates have been linked at the time of publication. The vulnerability affects all versions of the plugin, which is a popular add-on for Elementor, a widely used WordPress page builder.

For European organizations using WordPress websites with the affected Master Addons plugin, this vulnerability poses a significant risk. Since Contributor-level access is sufficient to exploit the flaw, any compromised or malicious user account can inject persistent malicious scripts. This can lead to theft of user credentials, unauthorized actions performed on behalf of users, defacement of public-facing websites, or distribution of malware to visitors. Organizations in sectors such as e-commerce, government, education, and media that rely on WordPress for their web presence are particularly at risk. The cross-site scripting vulnerability undermines user trust and can result in data breaches or regulatory non-compliance under GDPR if personal data is exposed. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting other parts of the web application or user sessions. Given the widespread use of Elementor and its add-ons in Europe, the potential impact is broad, especially for organizations that do not enforce strict user role management or lack regular plugin update policies.

1. Immediate mitigation involves restricting Contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Monitor and audit user-generated content and widget configurations for suspicious or unauthorized script content. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the affected plugin's widget endpoints. 4. Regularly update the Master Addons plugin once the vendor releases a patched version addressing this vulnerability. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected websites. 6. Conduct security awareness training for administrators and content contributors about the risks of XSS and safe content practices. 7. Use security plugins that can scan for and remediate stored XSS vulnerabilities in WordPress environments. 8. Consider temporarily disabling or replacing the affected widgets if immediate patching is not possible to reduce attack surface.