CVE-2025-54704: 
WordPress vulnerability analysis and mitigation

The Easy Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-54704) discovered by Abu Hurayra and disclosed on July 30, 2025. This vulnerability affects versions up to and including 2.2.6, allowing authenticated users with contributor-level access or higher to inject malicious web scripts into pages (Rapid7, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, with low attack complexity, requiring low privileges and user interaction. The vulnerability stems from insufficient input sanitization and output escaping in the plugin (AttackerKB, Patchstack).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page. This could lead to malicious script execution, including potential redirects, unwanted advertisements, and other HTML payloads that execute when visitors access the affected site (Patchstack).

Users are advised to update to version 2.2.7 or later to remediate this vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).