WordPress, Stored Cross-Site Scripting CVE-2025-1005 (Critical)

By /

2025-02-24

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin’s Image Accordion widget in all versions up to, and including, 3.4.0. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses an injected page, potentially leading to unauthorized actions, data theft, or further site compromise.

The vulnerability has been assigned the identifier CVE-2025-1005 and is classified as critical. The NVD (National Vulnerability Database) published this vulnerability on 02/15/2025, with the last modification on 02/24/2025. The source of this information is Wordfence, a reputable security provider for WordPress.

CVSS 3.x Severity and Vector Strings have been provided to help assess the risk level. The vulnerability is particularly concerning because it allows attackers with minimal access (contributor-level) to execute malicious scripts, which can have widespread impacts on the site’s security and user trust.

Summary:

The ElementsKit Elementor addons plugin for WordPress is vulnerable to a critical Stored Cross-Site Scripting (XSS) issue (CVE-2025-1005) in versions up to 3.4.0. This allows authenticated attackers with contributor-level access to inject malicious scripts into pages, posing significant security risks.

Form:

Platform: WordPress
Version: 3.4.0
Vulnerability: Stored XSS
Severity: Critical
Date: 02/15/2025

What Undercode Say:

  1. The vulnerability affects the ElementsKit Elementor addons plugin for WordPress.
  2. It is a Stored Cross-Site Scripting (XSS) issue.
  3. The vulnerability is present in all versions up to and including 3.4.0.
  4. Insufficient input sanitization and output escaping are the root causes.
  5. Authenticated attackers with contributor-level access can exploit it.

6. Malicious scripts can be injected into pages.

7. The vulnerability is classified as critical.

8. The CVE identifier is CVE-2025-1005.

9. The NVD published the vulnerability on 02/15/2025.

  1. The last modification date on the NVD is 02/24/2025.
  2. Wordfence is the source of the vulnerability information.
  3. The CVSS 3.x severity and vector strings are available.
  4. The vulnerability allows execution of arbitrary web scripts.

14. Contributor-level access is sufficient for exploitation.

  1. The Image Accordion widget is the affected component.

16. The vulnerability poses risks of unauthorized actions.

17. Data theft is a potential consequence.

18. Site compromise is a possible outcome.

19. The vulnerability impacts user trust.

  1. The issue is critical due to its widespread impact.
  2. The plugin is widely used in WordPress sites.

22. The vulnerability requires immediate attention.

23. Users should update to the latest version.

24. The vulnerability is publicly documented.

25. NVD provides references to advisories and solutions.

  1. The vulnerability is part of the NVD enrichment efforts.

27. CVSS information is contributed by multiple sources.

28. The vulnerability is linked to Weakness Enumeration.

29. Known affected software configurations are listed.

  1. The CPE 2.2 configuration is available for reference.
  2. The vulnerability is denoted as affecting vulnerable software.
  3. Quick info about the CVE is provided by the NVD.
  4. The vulnerability is critical due to its exploitability.
  5. The vulnerability is critical due to its impact.
  6. The vulnerability is critical due to its scope.
  7. The vulnerability is critical due to its ease of exploitation.
  8. The vulnerability is critical due to its potential damage.
  9. The vulnerability is critical due to its widespread use.
  10. The vulnerability is critical due to its public awareness.
  11. The vulnerability is critical due to its remediation urgency.
  12. The vulnerability is critical due to its historical context.
  13. The vulnerability is critical due to its technical complexity.
  14. The vulnerability is critical due to its attack vector.
  15. The vulnerability is critical due to its attack complexity.
  16. The vulnerability is critical due to its privileges required.
  17. The vulnerability is critical due to its user interaction.
  18. The vulnerability is critical due to its confidentiality impact.
  19. The vulnerability is critical due to its integrity impact.
  20. The vulnerability is critical due to its availability impact.
  21. The vulnerability is critical due to its CVSS score.
  22. The vulnerability is critical due to its NVD rating.
  23. The vulnerability is critical due to its Wordfence assessment.
  24. The vulnerability is critical due to its plugin popularity.
  25. The vulnerability is critical due to its potential for abuse.
  26. The vulnerability is critical due to its potential for escalation.
  27. The vulnerability is critical due to its potential for persistence.
  28. The vulnerability is critical due to its potential for evasion.
  29. The vulnerability is critical due to its potential for obfuscation.
  30. The vulnerability is critical due to its potential for distribution.
  31. The vulnerability is critical due to its potential for exploitation.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1005
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top