CVE-2025-9045 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Easy Elementor Addons plugin for WordPress, specifically versions up to and including 2.2.8. The vulnerability stems from improper neutralization of input during web page generation, where several widget parameters do not undergo sufficient input sanitization or output escaping. This flaw enables authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users access these compromised pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface content. The vulnerability requires the attacker to have at least contributor privileges, which means the attacker must be able to log in and create or edit content but does not require administrator rights. No user interaction beyond visiting the affected page is necessary for the payload to execute. The CVSS v3.1 score of 6.4 reflects a medium severity, with an attack vector over the network, low attack complexity, privileges required, no user interaction, and a scope change due to impact on other users. No known public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or public-facing content. The lack of available patches at the time of reporting necessitates immediate attention from site administrators to mitigate potential exploitation.

The impact of CVE-2025-9045 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, unauthorized actions, or content defacement. Since the vulnerability is stored XSS, the malicious payload persists in the site content, affecting all users who visit the compromised pages. This can severely damage the reputation of organizations, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. The requirement for contributor-level access reduces the risk somewhat but does not eliminate it, as many WordPress sites allow multiple contributors or editors. The vulnerability does not impact availability directly but can indirectly cause service disruption if exploited for defacement or administrative abuse. Organizations worldwide using the Easy Elementor Addons plugin are at risk, especially those with public-facing websites and multiple content contributors. The medium CVSS score indicates a moderate but non-trivial threat that should be addressed promptly to avoid escalation.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Site administrators should monitor and audit content created or edited by contributors for suspicious scripts or unexpected changes. 3. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting WordPress plugins. 4. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the site. 5. Disable or limit the use of vulnerable widget parameters if possible until an official patch is released. 6. Regularly back up site content and databases to enable quick restoration in case of compromise. 7. Stay informed about updates from the plugin vendor and apply patches immediately once available. 8. Consider using security plugins that provide enhanced input sanitization and output escaping for user-generated content. 9. Educate contributors about safe content creation practices and the risks of injecting untrusted code. 10. For high-risk environments, consider temporarily disabling the Easy Elementor Addons plugin until a secure version is released.