CVE-2025-5944: 
WordPress vulnerability analysis and mitigation

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-caption' attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This vulnerability was discovered and disclosed in July 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping of the 'data-caption' attribute. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers to inject malicious scripts that execute in users' browsers when they view affected pages. This could lead to theft of sensitive information, session hijacking, or other client-side attacks targeting site visitors (NVD).

The vulnerability has been patched in version 8.1.0 of the Element Pack Addons plugin. Users are advised to update to this version or later to mitigate the security risk. The patch includes security improvements and fixes for the UIKit JS vendor code (BdThemes Feedback).