CVE-2025-13368
Stored XSS in Xpro Addons Elementor Pricing Widget
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xpro | addons | to 1.4.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Xpro Addons β 140+ Widgets for Elementor WordPress plugin (up to version 1.4.20) is a Stored Cross-Site Scripting (XSS) issue in the Pricing Widget's 'onClick Event' setting. It occurs because the plugin does not properly sanitize or escape input, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. This malicious script then executes whenever any user accesses the affected page.
The root cause was insufficient access control and lack of proper escaping of the 'onclick_event' attribute, which allowed unauthorized JavaScript injection.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor or higher privileges to inject malicious JavaScript into pages via the Pricing Widget. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of sensitive information, session hijacking, or other malicious actions.
Because the attack is stored, the malicious code persists on the site and affects all visitors to the compromised pages, increasing the risk and impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Xpro Addons for Elementor WordPress plugin version 1.4.20 or earlier is installed and if the Pricing Widget's 'onClick Event' setting is being used by authenticated users with contributor level access or above.
Since the vulnerability allows injection of arbitrary JavaScript via the 'onclick_event' attribute, you can search your WordPress database or page source code for suspicious or unexpected JavaScript code within the Pricing Widget areas.
A practical approach is to run database queries to find instances of the 'onclick_event' attribute or suspicious script tags in post content or widget settings.
- Use WP-CLI to search for 'onclick_event' in widget settings or post meta: wp db query "SELECT * FROM wp_postmeta WHERE meta_value LIKE '%onclick_event%'"
- Search the WordPress uploads or themes directories for injected JavaScript files or suspicious code using grep: grep -r --include='*.php' 'onclick_event' /path/to/wordpress/
- Check the plugin version installed by running: wp plugin list | grep xpro-elementor-addons
Monitoring HTTP traffic for unexpected JavaScript execution or unusual POST requests from contributor-level users modifying the Pricing Widget can also help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to update the Xpro Addons for Elementor WordPress plugin to version 1.4.21 or later, where the vulnerability has been fixed.
This update enforces capability checks restricting the 'onclick_event' control to users with 'manage_options' capability and properly escapes the attribute to prevent script injection.
If updating immediately is not possible, restrict contributor-level and other lower privileged users from accessing or modifying the Pricing Widget's 'onClick Event' setting.
Additionally, review and sanitize any existing content or widget settings that may contain injected JavaScript to prevent stored cross-site scripting.
Implement monitoring for suspicious activity related to widget modifications and consider temporarily disabling the Pricing Widget if feasible until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with contributor level access and above to inject arbitrary JavaScript into pages via the Pricing Widget's 'onClick Event' setting. This could lead to unauthorized script execution when other users access the affected pages.
Such unauthorized script injection can potentially lead to data exposure or manipulation, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.
However, the provided information does not explicitly state the direct impact on compliance with these standards.