| Nombre del plugin | WordPress Animation Addons for Elementor |
|---|---|
| Tipo de vulnerabilidad | Scripting entre sitios (XSS) |
| Número CVE | CVE-2025-8444 |
| Urgencia | Baja |
| Fecha de publicación de CVE | 2026-06-10 |
| URL de origen | CVE-2025-8444 |
Urgent: Authenticated Contributor DOM-based Stored XSS in “Animation Addons for Elementor” (<= 2.6.7) — What WordPress Site Owners Must Do Now
Publicado: 9 June, 2026
Severidad: CVSS 6.5 (Medium) — CVE-2025-8444
Software afectado: Animation Addons for Elementor (GSAP Motion Elementor Addons & Website Templates) — versions ≤ 2.6.7
Privilegio requerido: Contribuyente (autenticado)
Tipo de explotación: DOM-based stored Cross-Site Scripting (XSS) — stored payload executed in victim’s browser when the stored content is rendered or interacted with
From the perspective of a Hong Kong security expert: this advisory is practical and action-oriented. The vulnerability allows an authenticated Contributor to persist JavaScript payloads in plugin-managed data. When certain pages or admin panels render or interact with that stored content, the payload may execute in the browser of other users — including Editors and Administrators. Potential consequences include credential theft, session hijacking, site defacement, persistent backdoors, or privileged account compromise.
Resumen ejecutivo
- Lo que sucedió: A Contributor can persist JavaScript into site data that is later read by client-side plugin code and injected unsafely into the DOM, causing execution in visitors’ browsers.
- Quién está en riesgo: Any site running the vulnerable plugin versions (≤ 2.6.7) that allows Contributors or similar low-privileged accounts to create templates, animation settings, or rich content.
- Acción inmediata: Restrict Contributor accounts, audit stored content for script-like payloads, apply containment controls (disable plugin if necessary, use WAF/virtual patching where available, enforce CSP), and plan a code fix or upgrade.
- A largo plazo: Fix plugin code with proper input validation and safe output encoding, adopt least privilege practices, enforce 2FA, logging and monitoring, and ensure timely patching procedures.
What is DOM-based stored XSS? Why it matters
Cross-Site Scripting (XSS) typically appears in three forms:
- XSS almacenado (persistente) — attacker-supplied input is stored on the server (database, postmeta, plugin settings) and later served to users without safe encoding.
- XSS Reflejado — payloads reflected in server responses from URL parameters or form inputs.
- DOM-based XSS — vulnerability arises in the browser when client-side JavaScript processes untrusted data and inserts it into the DOM unsafely.
This advisory concerns DOM-based stored XSS: an attacker stores a payload (e.g., in a template, animation configuration, or plugin field). When client-side plugin code later reads that value and injects it into the page DOM using unsafe APIs (innerHTML, eval, etc.), the script executes in the victim’s browser.
Riesgos clave:
- Execution in the context of any user viewing the affected page — admin sessions are high-value targets.
- Persistence — the payload remains until removed, allowing repeated exploitation.
- Server-side filters may be bypassed because the final injection occurs client-side.
Typical attack flow (high-level)
- Attacker obtains or registers a Contributor account (or similar low-privileged role).
- Using plugin UI available to that role, attacker saves crafted data (animation settings, template metadata, custom fields) containing a JavaScript payload.
- Data is stored in database tables (posts, postmeta, options, or plugin tables).
- When another user (Editor, Admin or visitor) opens a page or admin screen, plugin JavaScript reads the stored value and injects it into the DOM unsafely, triggering execution.
- Payload consequences depend on target: session theft, account takeover, backdoors, content modification, or malware delivery.
Real impacts seen with similar vulnerabilities
- Administrative takeover by exfiltrating session cookies or auth tokens.
- Silent installation of backdoors or malicious plugins when an admin’s browser executes attacker code.
- SEO and reputational damage from injected spam content.
- Persistence through postmeta or template JSON that survives updates and backups.
- Theft of customer/payment data on pages where sensitive interactions occur.
Even with a medium CVSS rating, urgency is warranted because the attack chain requires only low privileges to establish persistence and can later affect high-value accounts.
Cómo determinar rápidamente si estás afectado
- Confirme el plugin y la versión:
- Admin > Plugins: check for “Animation Addons for Elementor” or related GSAP/animation addons.
- If version is ≤ 2.6.7, treat as vulnerable.
- Inspect user roles:
- Users > All Users: look for Contributor accounts and recent additions or changes.
- Check whether Contributors can create templates, animations, or upload content.
- Search database for suspicious script tags or JSON:
Examples (adjust prefixes as needed):
wp db query "SELECT ID, post_title, post_type FROM wp_posts WHERE post_content LIKE '%wp db query "SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_value LIKE '% - Check logs for unusual admin actions, unexpected POSTs to admin-ajax.php, or REST endpoints related to the plugin.
- Examine plugin UI: templates, animation libraries, and user-editable fields that accept HTML, JSON, or script-like input.
If you find stored "; // Better: $cfg = wp_json_encode( $sanitized_data ); wp_add_inline_script( 'plugin-handle', "var cfg = {$cfg};", 'before' );
Client-side: prefer textContent
// Prefer:
element.textContent = userProvidedString;
// Avoid:
element.innerHTML = userProvidedHtml;
Orientación sobre WAF / parcheo virtual (genérico)
While awaiting an upstream patch, consider virtual patching rules at the web layer to reduce risk:
