CVE-2025-11220 - Vulnerability Details

- Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path

Description

The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-12-16

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Elementor plugin contains an insufficient neutralization of user‑supplied input used in the Text Path widget. Injected characters are incorporated into SVG markup that is stored in the page content, causing the web browser to execute arbitrary JavaScript whenever a user loads that page. An authenticated user with contributor level or higher can perform the injection. The impact is the execution of client‑side script on any visitor to the compromised page.

Affected Systems

WordPress sites that use the Elementor plugin, version 3.33.3 or earlier. The vulnerability is present in all releases up to and including 3.33.3, affecting the Text Path widget of the plugin.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity. The EPSS score of less than 1% suggests that current exploitation likelihood is low. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with contributor privileges, and the attack vector is via the plugin’s user interface that stores SVG content in the database. Once stored, the data is rendered on all page views, allowing the attacker to affect any site visitor. Overall risk is moderate due to the requirement for contributor access, but the potential for widespread client‑side compromise warrants swift action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

elemntor

Elementor Website Builder – more than just a page builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.33.3

No data.

Vendor	Product	Confidence	Versions
Elementor	Elementor	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Elementor plugin update (3.33.4 or newer if available) to eliminate the XSS flaw.
If a patch is not yet available, disable the Text Path widget on all pages or strip user input before rendering SVG to prevent script injection.
Restrict contributor‑level accounts by enforcing least‑privilege policies or enabling two‑factor authentication, and monitor for suspicious SVG content with a web‑application firewall or security plugin.

Generated by OpenCVE AI on April 27, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3414494/elementor
https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve

History

Tue, 16 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Elementor Elementor elementor Wordpress Wordpress wordpress
Vendors & Products		Elementor Elementor elementor Wordpress Wordpress wordpress

Tue, 16 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Dec 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/changeset/3414494/elementor https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Elementor Elementor

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-16T11:15:44.155Z

Updated: 2026-04-08T16:38:05.769Z

Reserved: 2025-09-30T23:12:28.298Z

Link: CVE-2025-11220

Vulnrichment

Updated: 2025-12-16T14:49:48.685Z

NVD

Status : Deferred

Published: 2025-12-16T12:15:45.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11220

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object