Home

Description

The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.

PUBLISHED Reserved 2025-08-29 | Published 2025-10-06 | Updated 2025-10-06 | Assigner WPScan

Problem types

CWE-79 Cross-Site Scripting (XSS)

Product status

Default status
unaffected

Any version before 2.5.0
affected

Credits

Tony finder

WPScan coordinator

References

wpscan.com/...rability/4332d49b-d58c-4728-afab-6757ff9e43ee/ exploit vdb-entry technical-description

cve.org (CVE-2025-9703)

nvd.nist.gov (CVE-2025-9703)

Download JSON