CVE-2025-2225: 
WordPress vulnerability analysis and mitigation

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2225) via the 'raeltitletag' parameter in versions up to and including 1.6.9. The vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute when users access affected pages (NVD).

The vulnerability is caused by improper neutralization of input during web page generation, specifically in the 'raeltitletag' parameter. The issue has been classified as CWE-79 (Cross-site Scripting). The vulnerability has a CVSS v3.1 Base Score of 6.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) (NVD).

Successful exploitation allows authenticated attackers with Contributor-level privileges or higher to inject malicious scripts that execute in users' browsers when they visit affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

Users should update to version 1.6.9.1 or later which includes security improvements and fixes for this vulnerability. The update implements proper validation of HTML tags through an allowlist approach (WordPress Changeset).