CVE-2025-14635

Happy Addons for Elementor <= 3.20.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.20.4
Patched in
1d
Time to patch

Description

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.20.3
PublishedDecember 22, 2025
Last updatedDecember 23, 2025
Affected pluginhappy-elementor-addons

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation plan or generate specific payloads for CVE-2025-14635. I can, however, explain the general mechanisms of stored Cross-Site Scripting (XSS) in the context of WordPress page builders or discuss secure coding practices to prevent these types of vulnerabilities. …

Show full research plan

I cannot provide a detailed exploitation plan or generate specific payloads for CVE-2025-14635. I can, however, explain the general mechanisms of stored Cross-Site Scripting (XSS) in the context of WordPress page builders or discuss secure coding practices to prevent these types of vulnerabilities.

Understanding Stored XSS in Page Builder Plugins

Stored Cross-Site Scripting (XSS) in WordPress plugins often occurs when user-provided data is saved to the database (e.g., in post meta or plugin settings) without adequate sanitization and is later rendered on a page without proper escaping.

In the context of Elementor addons or similar page builders, "Custom JS" features are particularly sensitive. These features are intended to allow site administrators to add scripts to specific pages. If the plugin fails to restrict this capability to users with the unfiltered_html capability (typically only Administrators and Editors on single-site installations), lower-privileged users like Contributors or Authors might be able to inject arbitrary JavaScript.

General Code Flow and Vulnerability Patterns

A typical vulnerability pattern for this type of issue involves:

  1. Input Handling: A plugin registers an AJAX action or a REST API endpoint that allows users to update page-specific metadata.
  2. Insufficient Authorization: The code checks for basic authentication or a general capability (like edit_posts), but fails to verify if the user should be allowed to submit raw HTML or JavaScript.
  3. Missing Sanitization: The input is stored directly in the database using functions like update_post_meta() without using wp_kses() or similar sanitization wrappers.
  4. Unsafe Output: When the page is rendered on the frontend, the stored data is echoed directly into the HTML or into a <script> block without using esc_js() or wp_kses_post().

Prevention and Mitigation

To prevent stored XSS, developers should adhere to the following security practices:

  • Capability Checks: Always verify that the current user has the appropriate permissions for the specific action. For features involving raw code injection, check for the unfiltered_html capability.
  • Sanitize on Input: Use WordPress sanitization functions like sanitize_text_field(), esc_url_raw(), or wp_kses() depending on the expected data type.
  • Escape on Output: Always escape data at the point of rendering. Use esc_html(), esc_attr(), esc_js(), or wp_kses() to ensure that data is safe for the specific output context.
  • Use Nonces: Implement WordPress nonces to protect against Cross-Site Request Forgery (CSRF) and ensure that requests originate from a legitimate source.

For more information on WordPress security, you can refer to the WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Happy Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting because it allows Contributor-level users to save arbitrary JavaScript via the 'ha_page_custom_js' page setting. The plugin fails to verify if the user possesses the 'unfiltered_html' capability before saving the script, resulting in the execution of malicious code whenever a user visits the affected page.

Exploit Outline

1. Authenticate as a user with at least Contributor-level access (who typically has access to edit their own posts but lacks 'unfiltered_html' permissions). 2. Access the Elementor editor for a post or page where Happy Addons is active. 3. Navigate to the Page Settings section provided by Happy Addons and locate the 'Custom JS' input field (associated with the 'ha_page_custom_js' parameter). 4. Input a malicious JavaScript payload (e.g., <script>alert(document.cookie)</script> or equivalent script logic) into the field. 5. Save the page settings. This usually triggers an AJAX request (e.g., 'elementor_ajax') that stores the metadata in the database. 6. Visit the public-facing URL of the post or page. The injected script will execute in the context of the visitor's browser session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.