CVE-2025-8444: Animation Addons for Elementor Stored XSS Vulnerability – Patch Guidance
A WordPress plugin called Animation Addons for Elementor (versions up to 2.6.7) allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users visit those pages, the scripts execute in their browsers, potentially stealing session data, modifying page content, or performing actions on their behalf. The vulnerability stems from the plugin's failure to properly clean and validate user input before storing it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-8444 is a DOM-based stored cross-site scripting (XSS) vulnerability affecting Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin through version 2.6.7. The vulnerability exists across multiple parameters due to insufficient input sanitization and output escaping. An authenticated attacker with Contributor role or higher can inject arbitrary JavaScript that persists in the page and executes in the context of any user who subsequently views the affected page. This represents a server-side storage of malicious content that is then reflected client-side, making it a stored XSS rather than a simple reflected variant.
Business impact
Organizations using this plugin on WordPress sites face risk of unauthorized content modification, credential harvesting, malware distribution, and user session hijacking. Contributors and editors with malicious intent—or whose accounts become compromised—can deface pages, inject keyloggers, or redirect visitors without administrative awareness. This is particularly concerning for sites where multiple users have contributor access, as trust boundaries between content creators are eroded. Remediation requires immediate plugin updates and content audits to remove injected scripts.
Affected systems
WordPress installations running Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin in versions 2.6.7 and earlier are affected. The vulnerability requires the attacker to possess Contributor-level access or higher, meaning sites with open contributor registrations or those with compromised contributor accounts face elevated exposure. No version range is completely safe; users must upgrade beyond 2.6.7 to a patched release.
Exploitability
Exploitability is moderately straightforward for authenticated attackers with contributor privileges. No special tools or user interaction on the attacker's part is required—the injected payload executes automatically when any user visits the affected page. However, the requirement for prior authentication and contributor-level access limits the attack surface to insiders, disgruntled employees, or accounts compromised through credential theft. The CVSS score of 6.4 (Medium) reflects this: network-accessible, low attack complexity, but authentication required and no direct availability impact.
Remediation
Upgrade Animation Addons for Elementor to a patched version beyond 2.6.7 as soon as the vendor releases one. Verify the update through the WordPress plugin repository or the vendor's official advisory. After upgrading, conduct a thorough audit of all published pages and posts to identify and remove any injected scripts, particularly in content edited by untrusted or compromised accounts. Review contributor and editor user lists and revoke access for inactive or suspicious accounts. Consider implementing a Web Application Firewall (WAF) rule to detect and block inline script injection patterns during the interim period.
Patch guidance
1. Log in to your WordPress dashboard and navigate to Plugins > Installed Plugins. 2. Locate Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates. 3. Check for available updates; if a patched version is available, click Update Now. 4. Verify the updated version is higher than 2.6.7 by checking Plugins > Installed Plugins and hovering over the plugin name. 5. Test critical pages in a staging environment before proceeding to production if this plugin is central to your site's functionality. 6. Document the update in your change log for compliance and audit purposes.
Detection guidance
Search your WordPress database and page content for suspicious inline script tags, particularly those added to Elementor element parameters or custom fields. Review the WordPress audit log (if a logging plugin is installed) for contributor-level content edits around the time of suspected injection. Use browser developer tools to inspect DOM elements on published pages for unexpected JavaScript. Consider using security plugins like Wordfence or Sucuri to scan for known malware signatures and suspicious code patterns. Monitor for user reports of unexpected behavior or redirects on your site, which may indicate successful exploitation.
Why prioritize this
This vulnerability warrants timely attention but not emergency response for most organizations. The CVSS 6.4 (Medium) score is justified: the attack requires prior authentication and contributor access, limiting the attacker pool to insiders or compromised accounts. However, organizations with multiple content contributors or public contributor registration should prioritize patching, as the stored nature of the XSS means injected content affects all subsequent visitors indefinitely. If your site has experienced contributor account compromise, patch immediately.
Risk score, explained
The CVSS 3.1 score of 6.4 reflects: (1) Network-accessible attack vector with low complexity; (2) requirement for Contributor-level authentication, which reduces likelihood compared to unauthenticated flaws; (3) scope change due to XSS affecting users beyond the attacker; (4) confidentiality and integrity impacts (credential theft, content modification) but no availability impact. The Medium severity appropriately positions this as a real threat requiring action but not an emergency requiring out-of-hours response for most organizations.
Frequently asked questions
Who can exploit this vulnerability?
Authenticated WordPress users with Contributor-level access or higher. This includes content editors, shop managers (in e-commerce setups), and administrators. The attacker does not need physical access or to trick users into clicking malicious links.
What should I do if I cannot update the plugin immediately?
Immediately restrict Contributor-level access to trusted staff only. If you have a Web Application Firewall, deploy a rule to block inline JavaScript injection. Audit all recent edits to pages and posts by contributors. Monitor site behavior closely for signs of compromise. Set a firm deadline for the update and test it in a staging environment in parallel.
Can this vulnerability be exploited remotely without any access?
No. The attacker must already possess a WordPress user account with Contributor-level permissions or higher. They cannot exploit the vulnerability from outside the organization without first obtaining valid credentials.
How do I check if my site has been exploited?
Review all pages and posts edited by contributors in the past month for inline scripts or unusual code. Use WordPress security plugins like Wordfence to perform a malware scan. Check your WordPress database directly for suspicious JavaScript in post_content or post_meta fields. If you find injected content, remove it and reset any passwords for potentially affected users.
This analysis is based on the CVE record published on 2026-06-10 and modified on 2026-06-17. Patch availability, affected version ranges, and vendor advisory details should be verified directly with the plugin vendor or WordPress.org plugin repository. This analysis does not constitute a guarantee of security; organizations should conduct their own risk assessment based on their infrastructure, user base, and data sensitivity. No exploit code or weaponized proof-of-concept is provided or should be sought for this vulnerability. Consult with your security team and the vendor's official advisory before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings