CVE-2025-2108: 
WordPress vulnerability analysis and mitigation

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2108) discovered in versions up to and including 1.4.6.8. The vulnerability affects the 'Site Title' widget's 'titletag' and 'htmltag' parameters due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and affects changed scope (S:C) with low confidentiality and integrity impact (C:L, I:L) and no availability impact (A:N) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized actions and data theft (NVD).

The vulnerability has been patched in version 1.4.8 of the Xpro Addons For Elementor plugin. Users are advised to update to this version to resolve the security issue (WordPress Plugin).