Description
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability exists in the UiCore Elements plugin for WordPress, specifically in the UI Counter, UI Icon Box, and various UI Testimonial widgets up to and including version 1.0.16. The underlying issue is insufficient input sanitization and output escaping, which allows an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript into the widget configuration. When an affected page is viewed, the injected script executes in the victim’s browser, enabling the attacker to steal credentials, hijack sessions, deface content, or perform further attacks against the site.

Affected Systems

Vendors and products affected include uicore: UiCore Elements – Free widgets and templates for Elementor, a WordPress plugin distributed via the WordPress.org repository. Any WordPress installation that has the UiCore Elements plugin installed in a version 1.0.16 or earlier is vulnerable, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% signals a low probability of exploitation under normal conditions. The vulnerability is not listed in the CISA KEV catalog, suggesting no current known exploitation. The attack vector is authenticated access: a user who can add or edit widget content—typically a Contributor or higher—must first be authenticated to the WordPress admin area. Once they supply malicious widget code, every visitor to the affected page will trigger the script, giving the attacker broad reach over all site users.

Generated by OpenCVE AI on April 20, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the UiCore Elements plugin to the latest version, which contains improved input validation and output escaping.
  • If an upgrade is not immediately possible, disable or restrict use of the affected widgets (UI Counter, UI Icon Box, UI Testimonial Slider/Grid/Carousel) until the plugin is patched.
  • Audit existing widget content for injected scripts and remove any malicious code; apply a site‑wide search and replace to purge stored XSS payloads from the database.

Generated by OpenCVE AI on April 20, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12238 The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 23 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 23 Apr 2025 09:45:00 +0000

Type Values Removed Values Added
Description The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title UiCore Elements – Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:34.515Z

Reserved: 2025-02-04T23:49:36.182Z

Link: CVE-2025-1054

cve-icon Vulnrichment

Updated: 2025-04-23T15:35:51.412Z

cve-icon NVD

Status : Deferred

Published: 2025-04-23T10:15:15.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses