CVE Catalog

CVE-2025-8444

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

The Animation Addons for Elementor, powered by GSAP, is vulnerable to DOM-Based Stored Cross-Site Scripting in versions up to and including 2.6.7. The issue arises from insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts.

Risk Assessment

Attackers can inject malicious scripts that will execute whenever a user accesses the infected page, potentially leading to data theft or session hijacking.

Recommendation

It is recommended to update the plugin to the latest version and implement proper input sanitization and output escaping mechanisms.

Original NVD description (English source)

The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS