CVE-2025-30925: 
WordPress vulnerability analysis and mitigation

The Pack Elementor addons plugin version 2.1.1 and earlier contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and reported on November 15, 2024, and was publicly disclosed on March 27, 2025. This security issue affects the WordPress plugin The Pack Elementor addons up to version 2.1.1, with a fix available in version 2.1.2 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue, identified as CVE-2025-30925. It has been assigned a CVSS v3.1 score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability type falls under the OWASP Top 10 category A3: Injection (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The attack requires contributor-level privileges or higher to exploit (Patchstack).

The recommended mitigation is to update The Pack Elementor addons plugin to version 2.1.2 or later, which contains the fix for this vulnerability. Website administrators using Patchstack can enable auto-updates for vulnerable plugins to ensure automatic remediation (Patchstack).