Atomic Edge analysis of CVE-2025-14149 (metadata-based):

This vulnerability is a stored cross-site scripting (XSS) flaw in the Xpro Addons for Elementor WordPress plugin. The vulnerability exists in the Image Scroller widget’s box link attribute. The CWE-79 classification confirms improper neutralization of input during web page generation.

Atomic Edge research indicates the root cause is insufficient input sanitization and output escaping on user-supplied attributes. The plugin likely accepts user input for the widget’s link field without proper validation, then stores and renders it unsafely. This allows JavaScript injection into pages where the widget appears.

Exploitation requires contributor-level WordPress access or higher. Attackers can inject malicious scripts via the Elementor editor interface when configuring the Image Scroller widget. The payload executes when any user views the compromised page. The CVSS vector confirms network accessibility, low attack complexity, and low privilege requirements with no user interaction needed.

The fix in version 1.4.25 likely implements proper output escaping using WordPress functions like esc_url() or esc_attr() for the link attribute. Input validation may also have been added to restrict the field to valid URLs.

Successful exploitation allows attackers to perform actions as the viewing user. This includes stealing session cookies, redirecting users, or modifying page content. The stored nature means the attack persists across sessions until the malicious content is removed.