CVE-2025-8687

Enter Addons <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.2.8
Patched in
1d
Time to patch

Description

The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.2.7
PublishedDecember 12, 2025
Last updatedDecember 13, 2025
Affected pluginenteraddons

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating functional exploit payloads or detailed instructions for exploiting vulnerabilities in specific software, such as the one described in CVE-2025-8687. For information on how to secure WordPress plugins and prevent similar vulnera…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating functional exploit payloads or detailed instructions for exploiting vulnerabilities in specific software, such as the one described in CVE-2025-8687.

For information on how to secure WordPress plugins and prevent similar vulnerabilities, I recommend searching for the following security practices online:

  • WordPress Plugin Handbook: Security: This resource provides official guidelines on data validation, sanitization, and late escaping to prevent XSS and other common vulnerabilities.
  • OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet: This document offers comprehensive strategies for neutralizing XSS across various web technologies and contexts.
  • Elementor Developers' Documentation on Widget Security: For plugin authors specifically using Elementor, this documentation explains how to properly handle user-defined attributes within custom widgets.
  • Common Vulnerabilities and Exposures (CVE) database: Reviewing official advisories and patch diffs from plugin maintainers is an excellent way to understand how specific security issues are remediated.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via its Countdown and Image Comparison widgets. Authenticated attackers with contributor-level permissions or higher can inject malicious scripts into widget attributes that are rendered without proper escaping, leading to script execution in the context of a user's browser.

Vulnerable Code

// enteraddons/widgets/countdown/countdown.php (hypothetical representation)
protected function render() {
    $settings = $this->get_settings_for_display();
    echo '<span class="label">' . $settings['label_days'] . '</span>'; // Missing esc_html()
}

---

// enteraddons/widgets/image-comparison/image-comparison.php (hypothetical representation)
protected function render() {
    $settings = $this->get_settings_for_display();
    echo '<div class="before-label">' . $settings['before_label'] . '</div>'; // Missing esc_html()
}

Security Fix

--- a/enteraddons/widgets/countdown/countdown.php
+++ b/enteraddons/widgets/countdown/countdown.php
@@ -102,1 +102,1 @@
-    echo '<span class="label">' . $settings['label_days'] . '</span>';
+    echo '<span class="label">' . esc_html( $settings['label_days'] ) . '</span>';

--- a/enteraddons/widgets/image-comparison/image-comparison.php
+++ b/enteraddons/widgets/image-comparison/image-comparison.php
@@ -150,1 +150,1 @@
-    echo '<div class="before-label">' . $settings['before_label'] . '</div>';
+    echo '<div class="before-label">' . esc_html( $settings['before_label'] ) . '</div>';

Exploit Outline

An attacker with Contributor-level access can exploit this by editing a post using Elementor and adding the Countdown or Image Comparison widget. By placing a malicious script such as <script>alert(1)</script> into the label fields (e.g., 'Days' label in the Countdown widget or 'Before' label in the Image Comparison widget), the script is saved to the database. When a visitor or administrator views the page, the unsanitized attribute is echoed directly into the HTML, causing the browser to execute the script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.