Riyadh Ahmed Make Section CVE-2025-63033
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section & Column Clickable For Elementor: from n/a through <= 2.4.
AnalysisAI
Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.
Technical ContextAI
This is a Stored Cross-Site Scripting (CWE-79) vulnerability in a WordPress Elementor plugin. The plugin fails to properly neutralize user-supplied input during dynamic web page generation, allowing an authenticated administrator or privileged user to inject JavaScript code that persists in the database and executes when other users view the affected page section. Elementor is a popular WordPress page builder, and plugins extending it often manipulate page section and column attributes without adequate input sanitization or output escaping.
Affected ProductsAI
Make Section & Column Clickable For Elementor WordPress plugin versions 2.4 and earlier. The plugin is identified by the CPE applicable to WordPress plugins: specifically the make-section-column-clickable-elementor plugin hosted in the WordPress.org plugin repository.
RemediationAI
Update Make Section & Column Clickable For Elementor to version 2.5 or later when released by Riyadh Ahmed. Check the plugin's WordPress.org page or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/make-section-column-clickable-elementor/vulnerability/wordpress-make-section-column-clickable-for-elementor-plugin-2-3-cross-site-scripting-xss-vulnerability for patch availability. As an interim measure, restrict plugin access and admin capabilities to trusted users only, and consider disabling the plugin if a patched version is not immediately available.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today