CVE-2025-8444 Overview
CVE-2025-8444 affects the Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress. The plugin contains a DOM-Based Stored Cross-Site Scripting [CWE-79] vulnerability across multiple parameters in all versions up to and including 2.6.7. The flaw stems from insufficient input sanitization and output escaping in client-side JavaScript. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. Injected payloads execute in the browser of any user who visits the affected page.
Critical Impact
Authenticated contributors can persist arbitrary JavaScript into WordPress pages, enabling session theft, administrative action hijacking, and site defacement against visitors and administrators.
Affected Products
- Animation Addons for Elementor (free version) – all versions through 2.6.7
- GSAP Powered Elementor Addons & Website Templates – all versions through 2.6.7
- WordPress sites running the vulnerable plugin with Contributor or higher accounts
Discovery Timeline
- 2026-06-10 - CVE-2025-8444 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2025-8444
Vulnerability Analysis
The vulnerability is a DOM-Based Stored Cross-Site Scripting issue [CWE-79] in the Animation Addons for Elementor plugin. Stored attacker-controlled values are read by the plugin's client-side JavaScript and written into the DOM without proper escaping. The affected logic resides in assets/js/wcf-addons.min.js, which handles widget rendering on the front end. Because the payload is stored server-side but rendered through unsafe DOM operations, traditional server-side output filters do not neutralize it. Any visitor who loads the affected page triggers script execution under the site's origin.
Root Cause
The plugin accepts widget parameter values from authenticated editors and serializes them into the page output. The client-side script then consumes those values via DOM sinks such as innerHTML assignments or attribute injection without applying sanitization or contextual output escaping. This allows attacker-supplied markup to be interpreted as executable script.
Attack Vector
An authenticated user with Contributor privileges or higher submits malicious values through one of the plugin's vulnerable widget parameters. The payload is stored in post or widget metadata. When any subsequent visitor renders the page, the plugin's JavaScript injects the unsanitized value into the DOM, executing the attacker's script in the visitor's browser context.
No verified public exploit code is available. Technical details are documented in the Wordfence Vulnerability Report and the WordPress Plugin JS File.
Detection Methods for CVE-2025-8444
Indicators of Compromise
- Unexpected <script> tags, on* event handlers, or javascript: URIs inside post content, postmeta, or Elementor widget data created by Contributor accounts.
- Outbound browser requests from site visitors to unfamiliar domains shortly after loading pages built with Animation Addons for Elementor widgets.
- New or modified WordPress administrator accounts following content edits by lower-privileged users.
Detection Strategies
- Audit the wp_posts and wp_postmeta tables for HTML payloads containing script tags or event handler attributes within Elementor JSON data.
- Review WordPress audit logs for Contributor-level users editing or creating pages that use Animation Addons widgets.
- Inspect browser-side telemetry for Content Security Policy violations on pages rendering plugin widgets.
Monitoring Recommendations
- Enable verbose WordPress activity logging for content creation and editing actions performed by non-administrator roles.
- Monitor web server access logs for repeated POST requests to admin-ajax.php or the Elementor editor endpoints from Contributor accounts.
- Track outbound network connections from administrator browsers when accessing the WordPress admin area.
How to Mitigate CVE-2025-8444
Immediate Actions Required
- Update Animation Addons for Elementor to a version later than 2.6.7 once the vendor publishes a patched release.
- Review all Contributor, Author, and Editor accounts and remove any that are unnecessary or inactive.
- Inspect existing Elementor pages for stored payloads and remove malicious markup from post content and metadata.
Patch Information
At the time of NVD publication on 2026-06-10, all versions up to and including 2.6.7 are affected. Consult the Wordfence Vulnerability Report for the latest fixed version information and apply the vendor-supplied update once available.
Workarounds
- Deactivate the Animation Addons for Elementor plugin until a fixed version is installed.
- Restrict Contributor and higher roles to trusted users only, and require multi-factor authentication for all authenticated accounts.
- Deploy a web application firewall rule or Content Security Policy that blocks inline script execution on pages rendered by the plugin.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
