CVE-2025-26745: 
WordPress vulnerability analysis and mitigation

The RS Elements Elementor Addon WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-26745. This security issue affects versions up to and including 1.1.5 of the plugin. The vulnerability was discovered on April 10, 2025, and publicly disclosed on April 15, 2025 (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue due to insufficient input sanitization and output escaping in the plugin. It has received a CVSS v3.1 Base Score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or other malicious actions (WPScan).

Currently, there is no official patch or fix available for this vulnerability. Website administrators using the affected plugin versions should consider either removing the plugin or implementing additional access controls to restrict contributor-level access until a fix is released (Patchstack).