CVE Details
Basic Information
| Title | Medical Addon for Elementor <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget |
|---|---|
| Type | cve |
| Published | 2025-08-02T07:24:21.959Z |
| Modified | 2025-08-02T07:24:21.959Z |
Product Information
| Vendor | nicheaddons |
|---|---|
| Product | Medical Addon for Elementor |
| Version | * |
CVSS Information
| Base Score | 6.4 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
AI Analysis
| AI Description | The Medical Addon for Elementor plugin before version 1.6.3 is vulnerable to Stored Cross-Site Scripting (XSS) via the Typewriter widget. This occurs due to insufficient input sanitization and output escaping, allowing contributors to inject scripts. |
|---|---|
| AI Severity | Medium |
| AI Vendor | WordPress Community |
| AI Product | Medical Addon for Elementor |
| AI Version | up to 1.6.3 |
Affected Products
- nicheaddons Medical Addon for Elementor *
Additional Information
| CWE List | CWE-79 |
|---|---|
| Source | Wordfence |
Description
The Medical Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Typewriter widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.