CVE-2025-3275: 
WordPress vulnerability analysis and mitigation

The Themesflat Addons For Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-3275) discovered on April 19, 2025. This vulnerability affects all versions up to and including 2.2.5, specifically in the TF E Slider widget component. The issue stems from insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the TF E Slider widget where user input is not properly sanitized before being stored and displayed, allowing for the injection of malicious scripts (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized access to sensitive information or manipulation of user sessions (NVD).

A fix has been implemented in the plugin's source code that includes proper HTML escaping functionality for user input. The patch can be found in the plugin's repository, specifically addressing the XSS vulnerability in the tf-flexslider.js file (WordPress Plugin, Plugin Changeset).