Attack Vectors

The WordPress plugin Xpro Addons — 140+ Widgets for Elementor (slug: xpro-elementor-addons) is affected by a Medium-severity vulnerability (CVE-2025-63044, CVSS 6.4) that enables stored cross-site scripting (XSS) by an authenticated user with Contributor-level access or higher.

This means the most likely paths of exploitation are through normal content creation workflows: any scenario where a Contributor (or higher role) can add or edit content using Elementor and Xpro widgets, and submit that content for review or publish it (depending on permissions). Once malicious script is stored in the site content, it can execute automatically when a visitor or staff member views the affected page.

Organizations are at higher risk if they have multiple contributors (internal teams, agencies, freelancers), accept guest posts, or use shared accounts—because the attacker doesn’t need admin access to begin injecting content.

Security Weakness

CVE-2025-63044 is caused by insufficient input sanitization and output escaping in versions of Xpro Addons — 140+ Widgets for Elementor up to and including 1.4.19.1. In practical terms, the plugin may allow certain user-supplied content to be saved in the database and later rendered on a page without safely neutralizing script content.

Because it’s stored XSS, the injected code persists and can affect many users over time, rather than requiring a one-time click on a malicious link. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects that exploitation is possible over the network with low complexity and only low privileges, and that it can impact other user sessions and site content.

Remediation is straightforward: update to version 1.4.20 or newer (patched) as advised by the vendor/community reporting source.

Technical or Business Impacts

For business leaders, the key risk is that a Contributor-level compromise (or malicious insider) can turn into broader business damage without needing admin credentials. Stored XSS can be used to tamper with what visitors see (brand damage), steal data from user sessions in certain contexts, or trick staff into actions that lead to account takeover or unauthorized changes.

Typical impacts include:

Brand and campaign risk: A malicious script can alter landing pages, inject unwanted redirects, or manipulate forms and calls-to-action—undermining paid traffic performance and customer trust.

Compliance and privacy exposure: If the injected script captures user-entered data (for example, via modified forms or page elements), it can create an incident with regulatory implications depending on what data is collected and where your business operates.

Operational disruption: Cleaning up stored XSS often requires auditing affected pages/templates, restoring content, and reviewing user accounts and permissions—drawing time away from marketing execution and site operations.

Recommended actions: Update Xpro Addons — 140+ Widgets for Elementor to 1.4.20+, review Contributor/Author access (especially third parties), and consider adding additional content security controls (e.g., tighter publishing workflows and monitoring for unexpected script injections) as part of your standard web risk management program.

Similar Attacks

Stored XSS in content and plugin components has repeatedly been used to compromise websites, redirect traffic, and steal data. Examples:

CVE-2024-27956 (WordPress plugin: WP Meta SEO) — Stored XSS

CVE-2023-2745 (WordPress plugin: Advanced Custom Fields) — Stored XSS

CVE-2021-29447 (WordPress Core: Media) — Stored XSS (SVG-related)