CVE-2025-26769: 
WordPress vulnerability analysis and mitigation

The Vertex Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-26769) affecting versions up to and including 1.2.0. The vulnerability was discovered and reported by Webula on January 15, 2025, and was publicly disclosed on February 14, 2025. This security issue affects users of the WordPress plugin 'Vertex Addons for Elementor' and requires contributor-level access or higher to exploit (WPScan, Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping in the plugin. It has been assigned a CVSS score of 6.4-6.5 (Medium severity). The vulnerability falls under the OWASP Top 10 category A3: Injection and is identified with CWE-79 (WPScan, Patchstack).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page. This could enable attackers to inject redirects, advertisements, and other malicious HTML payloads that execute when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 1.3.0 of the Vertex Addons for Elementor plugin. Website administrators are advised to update to version 1.3.0 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).