CVE-2025-9082 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WPBITS Addons For Elementor Page Builder plugin for WordPress. This vulnerability affects all versions up to and including 1.8. The root cause is insufficient sanitization of user input and inadequate escaping of output when dynamic content is enabled within multiple widget parameters. Authenticated attackers with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond visiting the affected page, and no elevated privileges beyond contributor are needed for exploitation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors and dynamic content enabled.

This vulnerability can lead to significant security risks for organizations running WordPress sites with the WPBITS Addons For Elementor plugin. Exploitation allows attackers to execute arbitrary scripts in the context of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and defacement or redirection attacks. Since contributors can inject malicious code, insider threats or compromised contributor accounts increase risk. The scope includes all users visiting the infected pages, which could be large for popular sites. Although it does not directly impact availability, the integrity and confidentiality of user data and site content are at risk. This can damage organizational reputation, lead to data breaches, and cause compliance issues. The medium CVSS score reflects moderate impact, but the ease of exploitation by authenticated users and the stored nature of the XSS make it a notable threat.

Organizations should immediately audit their WordPress installations for the presence of the WPBITS Addons For Elementor plugin and verify the version in use. Since no official patches are currently available, administrators should consider temporarily disabling the plugin or restricting contributor permissions until a fix is released. Implement strict input validation and output escaping at the application level where possible, especially for dynamic content features. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting this plugin's parameters. Limit the number of users with contributor or higher privileges and enforce strong authentication and monitoring on these accounts. Regularly review and sanitize content submitted by contributors. Monitor site logs for suspicious activity indicative of XSS exploitation attempts. Stay updated with vendor advisories for patches and apply them promptly once available.