EUVD-2025-209290

| CVE-2025-14732 MEDIUM
2026-04-08 Wordfence
6.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2025-209290
Analysis Generated
Apr 08, 2026 - 01:45 vuln.today
CVE Published
Apr 08, 2026 - 01:24 nvd
MEDIUM 6.4

Tags

WordPress XSS

Description

The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Analysis

Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.

Technical Context

The vulnerability exists in the Elementor Website Builder plugin (CPE: cpe:2.3:a:elemntor:elementor_website_builder_-_more_than_just_a_page_builder:*:*:*:*:*:*:*:*), specifically in the REST API post-meta handling within modules/wp-rest/classes/elementor-post-meta.php. The root cause (CWE-87: Improper Neutralization of Input During Web Page Generation) stems from insufficient input sanitization when processing widget parameters and inadequate output escaping when rendering those parameters back to the page. WordPress's REST API endpoint processes user-supplied widget configuration data without proper validation or escaping, allowing malicious scripts embedded in widget settings to be stored in the database and executed in subsequent page renders. This affects all versions up to and including 3.35.5.

Affected Products

The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is affected in all versions up to and including 3.35.5 according to WordPress plugin repository records (https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5&new_path=/elementor/tags/3.35.6). The vulnerability affects the entire plugin codebase as distributed through the official WordPress plugin directory, regardless of deployment method.

Remediation

Vendor-released patch: version 3.35.6 and later. Update the Elementor Website Builder plugin immediately via the WordPress admin dashboard (Plugins > Installed Plugins > Elementor > Update Now) or by downloading version 3.35.6 or newer from the official WordPress plugin repository. The fix includes proper input sanitization and output escaping of widget parameters in the REST API post-meta handler (confirmed by the 3.35.5-to-3.35.6 changeset). For sites unable to update immediately, restrict Contributor-level access to trusted users only and monitor page revisions for suspicious widget parameter changes. No workarounds can fully prevent the vulnerability once installed; patching is the only complete remediation.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

EUVD-2025-209290 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy