CVE-2025-9077 identifies a stored cross-site scripting (XSS) vulnerability in the Ultra Addons Lite for Elementor WordPress plugin, versions 1.1.9 and below. The flaw exists in the 'Animated Text' field of the Typeout Widget, where insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. This malicious code is stored persistently in the website's content and executes in the browsers of any users who visit the compromised pages. The vulnerability leverages CWE-79, which involves improper neutralization of input during web page generation, leading to script injection. The attack vector requires network access and low attack complexity, with privileges needed at the contributor level, but no user interaction is necessary for exploitation beyond page access. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of affected users. Availability is not impacted. The CVSS 3.1 base score of 6.4 reflects these factors. No public exploits are known at this time, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments, increasing the potential attack surface.

The vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of any visitors to those pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. For organizations, this can result in reputational damage, loss of user trust, data breaches, and compliance violations. Since contributor-level access is relatively low privilege, insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The scope includes all websites using the affected plugin version, which may be substantial given the popularity of Elementor and its addons. Although availability is not directly affected, the integrity and confidentiality risks are significant, especially for sites with sensitive user data or high traffic. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public.

Organizations should immediately update the Ultra Addons Lite for Elementor plugin to a version that patches this vulnerability once available. Until a patch is released, administrators should restrict contributor-level permissions to trusted users only and audit existing contributors for suspicious activity. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection attempts targeting the 'Animated Text' field can reduce risk. Regularly scanning website content for injected scripts and monitoring logs for anomalous behavior is advised. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Educate content contributors about secure input practices and the risks of injecting untrusted content. Finally, consider disabling or limiting the use of the vulnerable widget if feasible until patched.