CVE-2025-62887

MEDIUM
2025-10-27 [email protected]
WordPress PHP XSS
5.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 5.4

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KingAddons.com King Addons for Elementor king-addons allows DOM-Based XSS.This issue affects King Addons for Elementor: from n/a through <= 51.1.61.

AnalysisAI

DOM-based cross-site scripting (XSS) in King Addons for Elementor plugin versions up to 51.1.61 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (clicking a link) and affects the confidentiality and integrity of website content, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS rating of 5.4.

Technical ContextAI

This is a DOM-based cross-site scripting vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the King Addons for Elementor WordPress plugin. The vulnerability stems from insufficient input sanitization during client-side DOM manipulation, allowing attackers to inject arbitrary JavaScript code that executes in the context of a user's browser session. DOM-based XSS differs from stored or reflected XSS in that the malicious payload is processed entirely on the client-side through the browser's DOM API, making it difficult to detect at the network level. The affected component is the King Addons plugin (CPE identifier: wordpress-plugins-king-addons-for-elementor), which extends the Elementor page builder with additional widgets and functionality.

Affected ProductsAI

King Addons for Elementor WordPress plugin from version n/a through version 51.1.61 is affected. The plugin extends the Elementor page builder for WordPress and is distributed through the WordPress plugin repository. The vulnerability affects all installations running version 51.1.61 or earlier.

RemediationAI

Update King Addons for Elementor to a version newer than 51.1.61. Check the plugin's update mechanism within WordPress admin dashboard or visit the Patchstack database at https://patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-37-cross-site-scripting-xss-vulnerability for the specific patched version number and detailed advisory information. If an automatic update is available, apply it immediately; otherwise, manually download and install the latest version from the WordPress plugin repository. No workarounds are available for this vulnerability-updating is the only remediation.

Share

CVE-2025-62887 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy