CVE-2025-8216: 
WordPress vulnerability analysis and mitigation

The Sky Addons for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-8216) discovered in July 2025. The vulnerability affects all versions up to and including 3.1.4 and stems from insufficient input sanitization and output escaping on user-supplied attributes across multiple widgets (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The weakness is identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability requires authenticated access with contributor-level privileges or higher to exploit (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD).

The vulnerability was addressed in version 3.2.0 of the Sky Addons for Elementor plugin, released on July 26, 2025. Users are advised to update to this version or later to protect against this security issue (WordPress Plugin).