EUVD-2025-209290Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Technical ContextAI
The vulnerability exists in the Elementor Website Builder plugin (CPE: cpe:2.3:a:elemntor:elementor_website_builder_-_more_than_just_a_page_builder:*:*:*:*:*:*:*:*), specifically in the REST API post-meta handling within modules/wp-rest/classes/elementor-post-meta.php. The root cause (CWE-87: Improper Neutralization of Input During Web Page Generation) stems from insufficient input sanitization when processing widget parameters and inadequate output escaping when rendering those parameters back to the page. WordPress's REST API endpoint processes user-supplied widget configuration data without proper validation or escaping, allowing malicious scripts embedded in widget settings to be stored in the database and executed in subsequent page renders. This affects all versions up to and including 3.35.5.
RemediationAI
Vendor-released patch: version 3.35.6 and later. Update the Elementor Website Builder plugin immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Elementor > Update Now) or by downloading version 3.35.6 or newer from the official WordPress plugin repository. The fix includes proper input sanitization and output escaping of widget parameters in the REST API post-meta handler (confirmed by the 3.35.5-to-3.35.6 changeset). For sites unable to update immediately, restrict Contributor-level access to trusted users only and monitor page revisions for suspicious widget parameter changes. No workarounds can fully prevent the vulnerability once installed; patching is the only complete remediation.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today