The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c

WORDPRESS

10-09-2025 02:20

CVE-2025-8388 Vulnerabilidad documentada

6.4 MEDIUM

Tags

#wordpress

#site

#plugin

#cross

#web

#elementor

#cross-site

#add

#/power(.*)bi/iU

#power bi

#/elementor(.*)wordpress/iU

#elementor wordpress

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, including, 2.9.4 due insufficient input sanitization output escaping. This makes it possible authenticated attackers, with Contributor-level access above, inject arbitrary web scripts pages that will execute whenever a user accesses an injected page.

https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/trunk/extensions/custom-cursor.php#L402

https://plugins.trac.wordpress.org/changeset/3357005/

https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd8bed0-fcfe-4927-b393-ddabbe8c3e6b?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-8388

Resultados similares

Coincidentes en almenos en 50% de los tags

10-09-2025 CVE-2025-9979
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and pri...
Ver información

10-09-2025 CVE-2025-9888
The Maspik – Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Reques...
Ver información