The Plus Addons for Elementor <=6.4.9 Authenticated Stored XSS (CVE-2025-2385)

Key Vulnerability Summary 1. Vulnerability Overview Vulnerability Name: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar Vulnerability Type: Stored Cross-Site Scripting (XSS) Trigger Condition: Requires authentication (Contributor+ level) Trigger Point: Progress Bar CVE ID: CVE-2025-2385 CVSS Score: 5.3 (Medium) Discoverer: Quoc Huy (iwingz) Publication Date: February 21, 2026 2. Scope of Impact Affected Software: The Plus Addons for Elementor (WordPress Plugin) Affected Versions: <= 6.4.9 3. Remediation Recommended Action: Update to version 6.4.10 or any higher patched version. 4. Other Recent Vulnerabilities This page also lists other recent vulnerabilities for this plugin, including: CVE-2025-2386 (CVSS 4.3) - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation CVE-2025-9698 (CVSS 6.4) - Authenticated (Author+) Stored Cross-Site Scripting via SVG CVE-2025-55712 (CVSS 4.3) - Missing Authorization CVE-2025-7646 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-49076 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-1287 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets CVE-2024-11829 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-53823 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-10365 (CVSS 4.3) - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates (Note: The screenshot does not contain specific POC code blocks)

Goal Reached Thanks to every supporter — we hit 100%!

The Plus Addons for Elementor <=6.4.9 Authenticated Stored XSS (CVE-2025-2385)

More from this source