CVE-2025-6252
BaseFortify
Publication date: 2025-06-28
Last updated on: 2025-07-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qodeinteractive | qi_addons_for_elementor | to 1.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Qi Addons For Elementor WordPress plugin. It occurs because the plugin does not properly sanitize and escape input data in several parameters, allowing authenticated users with Contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising user data or site integrity. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access or above to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware to visitors. Since the scripts execute in the context of the website, it can compromise the security and trustworthiness of the site for all users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Qi Addons For Elementor plugin version 1.9.1 or earlier is installed on your WordPress site and checking for the presence of stored Cross-Site Scripting (XSS) payloads in pages created or edited by users with Contributor-level access or higher. Since the vulnerability involves injection via several parameters, you can scan for suspicious script tags or event handlers in page content. Specific commands are not provided in the resources, but typical detection methods include using web vulnerability scanners that detect stored XSS or manually inspecting page source for injected scripts. Additionally, reviewing the plugin's JavaScript file `main.js` for unescaped dynamic data handling may help confirm vulnerability presence. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Qi Addons For Elementor plugin to a version later than 1.9.1 where the vulnerability has been fixed by improved input sanitization and output escaping in the plugin's JavaScript components. If updating is not immediately possible, restrict Contributor-level and higher user permissions to trusted users only, and consider disabling or limiting the use of affected plugin features that handle dynamic content such as sliders, lightbox popups, and animations. Monitoring and sanitizing user inputs before saving can also help reduce risk. [1]