CVE-2025-7440: 
WordPress vulnerability analysis and mitigation

The Anber Elementor Addon plugin for WordPress (versions up to and including 1.0.1) was identified with a Stored Cross-Site Scripting vulnerability, tracked as CVE-2025-7440. The vulnerability was discovered and disclosed on August 16, 2025, affecting the plugin's handling of the $item['button_link']['url'] parameter. The plugin was temporarily closed on August 14, 2025, pending a full security review (WordPress Plugin, NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the $item['button_link']['url'] parameter. It has been assigned a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, AttackerKB).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of August 14, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).