CVE-2025-63033

MEDIUM
2025-12-09 [email protected]
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.9

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section &amp; Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section &amp; Column Clickable For Elementor: from n/a through <= 2.4.

Analysis

Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.

Technical Context

This is a Stored Cross-Site Scripting (CWE-79) vulnerability in a WordPress Elementor plugin. The plugin fails to properly neutralize user-supplied input during dynamic web page generation, allowing an authenticated administrator or privileged user to inject JavaScript code that persists in the database and executes when other users view the affected page section. Elementor is a popular WordPress page builder, and plugins extending it often manipulate page section and column attributes without adequate input sanitization or output escaping.

Affected Products

Make Section & Column Clickable For Elementor WordPress plugin versions 2.4 and earlier. The plugin is identified by the CPE applicable to WordPress plugins: specifically the make-section-column-clickable-elementor plugin hosted in the WordPress.org plugin repository.

Remediation

Update Make Section & Column Clickable For Elementor to version 2.5 or later when released by Riyadh Ahmed. Check the plugin's WordPress.org page or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/make-section-column-clickable-elementor/vulnerability/wordpress-make-section-column-clickable-for-elementor-plugin-2-3-cross-site-scripting-xss-vulnerability for patch availability. As an interim measure, restrict plugin access and admin capabilities to trusted users only, and consider disabling the plugin if a patched version is not immediately available.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-63033 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy