Description
The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The DethemeKit for Elementor plugin for WordPress contains a vulnerability in the De Product Display Widget countdown feature that permits an authenticated user with Contributor-level access or higher to store and inject arbitrary JavaScript into page content. Because the injected script is persisted, it will execute in the browsers of all users who view the affected page, allowing the attacker to run malicious code on the site.

Affected Systems

WordPress sites that have installed DethemeKit for Elementor in version 2.1.9 or earlier and have at least one user with Contributor-level privileges—or any role equal to or greater than Contributor—are affected. The vulnerability exists in all builds up through 2.1.9, so any site running that exact or earlier version is at risk.

Risk and Exploitability

The vulnerability carries a CVSS v3.1 score of 6.4, classifying it as medium severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present. Exploitation requires authenticated access; therefore the attack vector is internal, and an adversary must first compromise a Contributor or higher account before injecting the payload. The vulnerability is not listed in the CISA KEV catalog, meaning there is currently no record of widespread exploitation.

Generated by OpenCVE AI on April 22, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DethemeKit for Elementor to version 2.2.0 or later to remove the input sanitization issue.
  • Restrict Contributor-level and higher roles to trusted users only, or remove the role if it is not required for normal site operations.
  • Review site content for injected scripts, delete any malicious code that has already been stored, and monitor access logs for suspicious activity.

Generated by OpenCVE AI on April 22, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6409 The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00057}

Mon, 24 Mar 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Detheme
Detheme dethemekit For Elementor
CPEs cpe:2.3:a:detheme:dethemekit_for_elementor:*:*:*:*:*:wordpress:*:*
Vendors & Products Detheme
Detheme dethemekit For Elementor

Fri, 14 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Mar 2025 07:30:00 +0000

Type Values Removed Values Added
Description The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title DethemeKit for Elementor <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Detheme Dethemekit For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:34.869Z

Reserved: 2025-02-20T21:03:14.679Z

Link: CVE-2025-1526

cve-icon Vulnrichment

Updated: 2025-03-14T14:50:17.884Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-14T08:15:12.120

Modified: 2025-03-24T18:04:40.790

Link: CVE-2025-1526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses