CVE-2025-13368 Overview
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Pricing Widget's onClick Event setting. This security flaw exists in all versions up to and including 1.4.20 due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages that execute whenever any user accesses the affected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in victim browsers, potentially leading to session hijacking, credential theft, or malware distribution through compromised WordPress pages.
Affected Products
- Xpro Addons — 140+ Widgets for Elementor plugin for WordPress versions up to and including 1.4.20
- WordPress sites using vulnerable versions of the Xpro Elementor Addons plugin
- Any site utilizing the Pricing Widget component with the onClick Event setting
Discovery Timeline
- 2026-04-04 - CVE-2025-13368 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2025-13368
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw specifically manifests as a Stored XSS vulnerability, which is particularly dangerous because the malicious payload persists in the database and affects all users who view the compromised page.
The Pricing Widget component in Xpro Addons fails to properly sanitize user-supplied input in the onClick Event setting before storing it in the database and subsequently rendering it on the page. This allows attackers to embed JavaScript code that will be executed in the context of other users' browser sessions when they visit pages containing the malicious widget configuration.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and output encoding within the Pricing Widget's event handler configuration. The plugin does not adequately sanitize the onClick Event parameter before storing user input, nor does it properly escape the output when rendering the widget on the frontend. This lack of defense-in-depth allows script injection through event handler attributes.
Attack Vector
The attack vector is network-based and requires authentication with at least contributor-level privileges on the WordPress installation. An attacker with these permissions can:
- Access the WordPress backend and edit a page using Elementor
- Add or modify a Pricing Widget on the page
- Insert malicious JavaScript code into the onClick Event setting
- Save the page, which stores the payload in the database
- When any user (including administrators) views the page, the malicious script executes in their browser context
This Stored XSS vulnerability can be leveraged for various malicious purposes including stealing authentication cookies, redirecting users to phishing sites, defacing content, or escalating privileges by targeting administrator sessions.
Detection Methods for CVE-2025-13368
Indicators of Compromise
- Unusual JavaScript code present in Pricing Widget configurations within post metadata
- Unexpected network requests originating from pages containing Pricing Widgets
- Reports of suspicious behavior when users interact with pricing elements on the site
- Database entries containing script tags or JavaScript event handlers in widget settings
Detection Strategies
- Review WordPress database entries for xpro widget configurations containing suspicious JavaScript patterns
- Monitor web server logs for unusual referrers or request patterns associated with XSS exploitation
- Implement Content Security Policy (CSP) headers and monitor for CSP violation reports
- Use WordPress security plugins to scan for known XSS patterns in post content and widget configurations
Monitoring Recommendations
- Enable detailed logging for Elementor widget changes and track modifications to Pricing Widget settings
- Deploy web application firewall (WAF) rules to detect and block common XSS payloads
- Implement browser-based XSS detection through CSP reporting endpoints
- Regularly audit user accounts with contributor-level access or higher for suspicious activity
How to Mitigate CVE-2025-13368
Immediate Actions Required
- Update the Xpro Addons — 140+ Widgets for Elementor plugin to the latest patched version immediately
- Review all existing Pricing Widget configurations for potentially malicious onClick Event content
- Audit contributor and author accounts for unauthorized or suspicious users
- Consider temporarily disabling the Pricing Widget functionality until the update is applied
Patch Information
A security patch addressing this vulnerability has been released. The fix can be tracked via the WordPress Plugin Changeset. Users should update to a version newer than 1.4.20 to remediate this vulnerability. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Implement strict Content Security Policy headers to mitigate the impact of any injected scripts
- Restrict contributor-level access to trusted users only until the patch is applied
- Use a Web Application Firewall (WAF) to filter malicious input patterns targeting onClick handlers
- Temporarily remove or disable Pricing Widgets from public-facing pages as an interim measure
# Add Content Security Policy header in .htaccess (Apache)
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
