CVE-2025-9045 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the Easy Elementor Addons plugin for WordPress, developed by hashthemes. This vulnerability exists in versions up to and including 2.2.8 due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of several widget parameters. An authenticated attacker with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages managed by the plugin. These scripts are then stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation of the victim's browser environment. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting its network attack vector, low attack complexity, requirement for privileges (contributor or above), no user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding in dynamic web content generation.

For European organizations, especially those relying on WordPress websites with the Easy Elementor Addons plugin installed, this vulnerability poses a significant risk to web application security and user trust. Exploitation could lead to unauthorized script execution in the context of the affected website, enabling attackers to steal session cookies, perform actions on behalf of legitimate users, or redirect users to malicious sites. This can result in data breaches, defacement, loss of customer confidence, and potential regulatory non-compliance under GDPR if personal data is compromised. Since contributor-level access is required, the threat is more relevant in environments where multiple users have elevated privileges, such as collaborative editorial teams or agencies managing client sites. The scope of impact extends to any European organization using this plugin, including e-commerce, media, and public sector websites, where the integrity and confidentiality of web content and user data are critical.

European organizations should immediately audit their WordPress installations to identify the presence and version of the Easy Elementor Addons plugin. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict contributor-level and higher privileges strictly to trusted users and review user roles and permissions to minimize the number of accounts that can exploit this vulnerability. 2) Implement Web Application Firewall (WAF) rules tailored to detect and block typical XSS payloads targeting the affected widget parameters. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 4) Conduct thorough input validation and output encoding on any custom code interacting with the plugin or its widgets. 5) Monitor website logs and user activity for signs of suspicious script injections or anomalous behavior. 6) Stay alert for official patches or updates from hashthemes and apply them promptly once available. 7) Consider temporarily disabling or replacing the plugin if the risk is deemed unacceptable and no patch is available.