CVE-2025-9698
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-10-14
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_plus_addons | elementor | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9698 is a Stored Cross-Site Scripting (XSS) vulnerability in The Plus Addons for Elementor WordPress plugin versions before 6.3.16. The plugin does not properly sanitize SVG file contents, allowing users with at least Author role permissions to upload SVG files containing malicious JavaScript. When these SVG files are accessed, the embedded script executes, leading to stored XSS attacks. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers with Author-level access to inject malicious scripts into SVG files uploaded to the site. When other users or administrators view these SVG files, the malicious scripts execute, potentially compromising their accounts, stealing sensitive information, or performing unauthorized actions on behalf of the users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, check if your WordPress site is running The Plus Addons for Elementor plugin version prior to 6.3.16. You can verify the plugin version via the WordPress admin dashboard or by running commands to list installed plugins and their versions. Additionally, inspect uploaded SVG files in the Media Library for embedded <script> tags or suspicious JavaScript code. For example, you can download SVG files from the uploads directory and search for <script> tags using command line tools like grep: grep -i '<script' /path/to/wp-content/uploads/**/*.svg. Also, monitor HTTP requests to SVG files for unusual activity or alert triggers. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update The Plus Addons for Elementor plugin to version 6.3.16 or later, where the vulnerability is fixed by proper sanitization of SVG file contents. Additionally, restrict upload permissions to trusted users only, especially limiting Author role users from uploading SVG files until the update is applied. Review and remove any suspicious SVG files containing embedded scripts from your Media Library to prevent exploitation. [1]