{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13368", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T17:57:39.547Z", "datePublished": "2026-04-04T07:41:59.813Z", "dateUpdated": "2026-04-08T17:26:47.785Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:47.785Z"}, "affected": [{"vendor": "xpro", "product": "Xpro Addons \u2014 140+ Widgets for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.20", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Xpro Addons \u2014 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-11-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-28T16:32:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-03T19:27:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:29:45.370407Z", "id": "CVE-2025-13368", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:41:32.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:29:45.370407Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:30:16.011Z"}}], "cna": {"title": "Xpro Addons \u2014 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xpro", "product": "Xpro Addons \u2014 140+ Widgets for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.20"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-09T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-28T16:32:47.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-03T19:27:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons"}], "descriptions": [{"lang": "en", "value": "The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T07:41:59.813Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13368", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:41:32.476Z", "dateReserved": "2025-11-18T17:57:39.547Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:41:59.813Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Xpro Addons \u2014 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Widget's 'onClick Event' setting in all versions up to, and including, 1.4.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13368", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:04.117", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3432667/xpro-elementor-addons"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83ae3a4-382f-4e64-bf1e-73f953f2f654?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.20]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Xpro Addons \u2014 140+ Widgets for Elementor", "source": "cna", "vendor": "xpro"}, "product": "xpro_addons_\u2014_140+_widgets_for_elementor", "vendor": "xpro"}], "analysis": {"en": {"generated_at": "2026-04-04T11:22:09.475866+00:00", "value": {"mitigation_remediation": ["Update the Xpro Addons plugin to version 1.4.21 or later. ", "If an update is not immediately available, remove or disable the Pricing Widget on pages or delete the onClick setting to prevent script storage. ", "Restrict contributor-level access on pages that use the widget until a patch is applied. ", "Review the vendor\u2019s advisories and monitor for any new patches or additional mitigations."], "summary": {"action": "Patch", "impact": "Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Xpro Addons \u2014 140+ Widgets for Elementor plugin installed, specifically versions up to and including 1.4.20. No other products or versions are listed as affected by this vulnerability.", "description_and_impact": "The Xpro Addons plugin for WordPress enables the injection of malicious scripts through the Pricing Widget\u2019s onClick event setting. When a contributor or higher-level user stores a script in this field, the script is rendered and executed on any page where the widget appears, giving the attacker the ability to execute arbitrary code in visitors\u2019 browsers. This type of stored cross\u2011site scripting can lead to defacement, credential theft, session hijacking or redirection to malicious sites, affecting the confidentiality, integrity and availability of the site and its users.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating a moderate to high severity. It requires authenticated access with at least contributor privileges, and the attack vector is inferred to be local via the website\u2019s editor interface. No EPSS data is available, and the vulnerability is not cataloged in CISA\u2019s KEV list, suggesting that while exploitability is confirmed, widespread exploitation has not been observed yet."}}}}, "created": "2026-04-06T20:27:37.580235+00:00", "updated": "2026-04-06T22:20:56.633460+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xpro", "xpro$PRODUCT$xpro_addons_\u2014_140+_widgets_for_elementor"]}