| Plugin Name | WordPress Animation Addons for Elementor |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2025-8444 |
| Urgency | Low |
| CVE Publish Date | 2026-06-10 |
| Source URL | CVE-2025-8444 |
Urgent: Authenticated Contributor DOM-based Stored XSS in “Animation Addons for Elementor” (<= 2.6.7) — What WordPress Site Owners Must Do Now
Published: 9 June, 2026
Severity: CVSS 6.5 (Medium) — CVE-2025-8444
Affected software: Animation Addons for Elementor (GSAP Motion Elementor Addons & Website Templates) — versions ≤ 2.6.7
Required privilege: Contributor (authenticated)
Exploit type: DOM-based stored Cross-Site Scripting (XSS) — stored payload executed in victim’s browser when the stored content is rendered or interacted with
From the perspective of a Hong Kong security expert: this advisory is practical and action-oriented. The vulnerability allows an authenticated Contributor to persist JavaScript payloads in plugin-managed data. When certain pages or admin panels render or interact with that stored content, the payload may execute in the browser of other users — including Editors and Administrators. Potential consequences include credential theft, session hijacking, site defacement, persistent backdoors, or privileged account compromise.
Executive summary
- What happened: A Contributor can persist JavaScript into site data that is later read by client-side plugin code and injected unsafely into the DOM, causing execution in visitors’ browsers.
- Who is at risk: Any site running the vulnerable plugin versions (≤ 2.6.7) that allows Contributors or similar low-privileged accounts to create templates, animation settings, or rich content.
- Immediate action: Restrict Contributor accounts, audit stored content for script-like payloads, apply containment controls (disable plugin if necessary, use WAF/virtual patching where available, enforce CSP), and plan a code fix or upgrade.
- Long-term: Fix plugin code with proper input validation and safe output encoding, adopt least privilege practices, enforce 2FA, logging and monitoring, and ensure timely patching procedures.
What is DOM-based stored XSS? Why it matters
Cross-Site Scripting (XSS) typically appears in three forms:
- Stored (persistent) XSS — attacker-supplied input is stored on the server (database, postmeta, plugin settings) and later served to users without safe encoding.
- Reflected XSS — payloads reflected in server responses from URL parameters or form inputs.
- DOM-based XSS — vulnerability arises in the browser when client-side JavaScript processes untrusted data and inserts it into the DOM unsafely.
This advisory concerns DOM-based stored XSS: an attacker stores a payload (e.g., in a template, animation configuration, or plugin field). When client-side plugin code later reads that value and injects it into the page DOM using unsafe APIs (innerHTML, eval, etc.), the script executes in the victim’s browser.
Key risks:
- Execution in the context of any user viewing the affected page — admin sessions are high-value targets.
- Persistence — the payload remains until removed, allowing repeated exploitation.
- Server-side filters may be bypassed because the final injection occurs client-side.
Typical attack flow (high-level)
- Attacker obtains or registers a Contributor account (or similar low-privileged role).
- Using plugin UI available to that role, attacker saves crafted data (animation settings, template metadata, custom fields) containing a JavaScript payload.
- Data is stored in database tables (posts, postmeta, options, or plugin tables).
- When another user (Editor, Admin or visitor) opens a page or admin screen, plugin JavaScript reads the stored value and injects it into the DOM unsafely, triggering execution.
- Payload consequences depend on target: session theft, account takeover, backdoors, content modification, or malware delivery.
Real impacts seen with similar vulnerabilities
- Administrative takeover by exfiltrating session cookies or auth tokens.
- Silent installation of backdoors or malicious plugins when an admin’s browser executes attacker code.
- SEO and reputational damage from injected spam content.
- Persistence through postmeta or template JSON that survives updates and backups.
- Theft of customer/payment data on pages where sensitive interactions occur.
Even with a medium CVSS rating, urgency is warranted because the attack chain requires only low privileges to establish persistence and can later affect high-value accounts.
How to quickly determine if you’re affected
- Confirm plugin and version:
- Admin > Plugins: check for “Animation Addons for Elementor” or related GSAP/animation addons.
- If version is ≤ 2.6.7, treat as vulnerable.
- Inspect user roles:
- Users > All Users: look for Contributor accounts and recent additions or changes.
- Check whether Contributors can create templates, animations, or upload content.
- Search database for suspicious script tags or JSON:
Examples (adjust prefixes as needed):
wp db query "SELECT ID, post_title, post_type FROM wp_posts WHERE post_content LIKE '%wp db query "SELECT post_id, meta_key, meta_value FROM wp_postmeta WHERE meta_value LIKE '% - Check logs for unusual admin actions, unexpected POSTs to admin-ajax.php, or REST endpoints related to the plugin.
- Examine plugin UI: templates, animation libraries, and user-editable fields that accept HTML, JSON, or script-like input.
If you find stored "; // Better: $cfg = wp_json_encode( $sanitized_data ); wp_add_inline_script( 'plugin-handle', "var cfg = {$cfg};", 'before' );
Client-side: prefer textContent
// Prefer:
element.textContent = userProvidedString;
// Avoid:
element.innerHTML = userProvidedHtml;
WAF / virtual patching guidance (generic)
While awaiting an upstream patch, consider virtual patching rules at the web layer to reduce risk:
