CVE-2025-9698
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-13

Last updated on: 2025-10-14

Assigner: WPScan

Description
The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-13
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9698
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
the_plus_addons elementor *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9698 is a Stored Cross-Site Scripting (XSS) vulnerability in The Plus Addons for Elementor WordPress plugin versions before 6.3.16. The plugin does not properly sanitize SVG file contents, allowing users with at least Author role permissions to upload SVG files containing malicious JavaScript. When these SVG files are accessed, the embedded script executes, leading to stored XSS attacks. [1]

Impact Analysis

This vulnerability can allow attackers with Author-level access to inject malicious scripts into SVG files uploaded to the site. When other users or administrators view these SVG files, the malicious scripts execute, potentially compromising their accounts, stealing sensitive information, or performing unauthorized actions on behalf of the users. [1]

Detection Guidance

To detect this vulnerability, check if your WordPress site is running The Plus Addons for Elementor plugin version prior to 6.3.16. You can verify the plugin version via the WordPress admin dashboard or by running commands to list installed plugins and their versions. Additionally, inspect uploaded SVG files in the Media Library for embedded <script> tags or suspicious JavaScript code. For example, you can download SVG files from the uploads directory and search for <script> tags using command line tools like grep: grep -i '<script' /path/to/wp-content/uploads/**/*.svg. Also, monitor HTTP requests to SVG files for unusual activity or alert triggers. [1]

Mitigation Strategies

The immediate mitigation step is to update The Plus Addons for Elementor plugin to version 6.3.16 or later, where the vulnerability is fixed by proper sanitization of SVG file contents. Additionally, restrict upload permissions to trusted users only, especially limiting Author role users from uploading SVG files until the update is applied. Review and remove any suspicious SVG files containing embedded scripts from your Media Library to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart