The Plus Addons for Elementor <=6.4.9 Authenticated Stored XSS (CVE-2025-2385)

漏洞关键信息总结 1. 漏洞概述 漏洞名称: The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar 漏洞类型: 存储型跨站脚本攻击 (Stored Cross-Site Scripting, XSS) 触发条件: 需要认证权限 (Contributor+ 级别) 触发点: 进度条 (Progress Bar) CVE ID: CVE-2025-2385 CVSS 评分: 5.3 (Medium) 发现者: Quoc Huy (iwingz) 发布日期: 2026年2月21日 2. 影响范围 受影响软件: The Plus Addons for Elementor (WordPress 插件) 受影响版本: <= 6.4.9 3. 修复方案 建议操作: 更新到版本 6.4.10 或任何更高版本的已修复补丁。 4. 其他近期相关漏洞 (Recent vulnerabilities) 该页面还列出了该插件的其他近期漏洞，包括： CVE-2025-2386 (CVSS 4.3) - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation CVE-2025-9698 (CVSS 6.4) - Authenticated (Author+) Stored Cross-Site Scripting via SVG CVE-2025-55712 (CVSS 4.3) - Missing Authorization CVE-2025-7646 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-49076 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-1287 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets CVE-2024-11829 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-53823 (CVSS 6.4) - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-10365 (CVSS 4.3) - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates (注：截图中未包含具体的POC代码块)

目標達成すべての支援者に感謝 — 100%達成しました！

The Plus Addons for Elementor <=6.4.9 Authenticated Stored XSS (CVE-2025-2385)

このソースからの他の記事

目標達成 すべての支援者に感謝 — 100%達成しました！

The Plus Addons for Elementor <=6.4.9 Authenticated Stored XSS (CVE-2025-2385)

このソースからの他の記事

目標達成すべての支援者に感謝 — 100%達成しました！