CVE-2025-22646: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the aThemes Addons for Elementor WordPress plugin, identified as CVE-2025-22646. The vulnerability affects versions up to and including 1.0.8 of the plugin. The issue was discovered by researcher Michael and was publicly disclosed on February 3, 2025. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (WPScan, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The issue requires an authenticated user with contributor-level access or higher to exploit (NVD, Patchstack).

When exploited, this vulnerability allows authenticated attackers with contributor-level access to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions, data theft, or site defacement (WPScan, Patchstack).

The vulnerability has been fixed in version 1.0.9 of the aThemes Addons for Elementor plugin. Site administrators are advised to update to this version or later to remediate the security issue. The fix addresses the insufficient input sanitization and output escaping that led to the XSS vulnerability (Patchstack).