Description
Cross-Site Request Forgery (CSRF) vulnerability in Elevio by Dixa Elevio elevio allows Stored XSS.This issue affects Elevio: from n/a through <= 4.4.1.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Elevio by Dixa Elevio plugin contains a Cross‑Site Request Forgery flaw that allows an attacker to inject and store arbitrary JavaScript code. The stored script is later executed when a user views the affected content, thereby creating a Stored XSS vulnerability. The description does not specify further capabilities such as credential theft or session hijack. The weakness is identified as CWE-352.

Affected Systems

All WordPress installations running the Elevio plugin version 4.4.1 or earlier are affected. No additional configuration settings or versions are mentioned, so any deployment of this plugin up to the specified version is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk. The EPSS score of less than 1% suggests that exploitation is unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to forge a request that the Elevio plugin accepts as legitimate, causing the malicious code to be stored and subsequently executed during normal page rendering. This requires that the request bypass any CSRF defenses the site may provide, which the plugin currently lacks.

Generated by OpenCVE AI on May 2, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Elevio plugin to a version newer than 4.4.1 that removes the CSRF to Stored XSS flaw.
  • If an update cannot be applied immediately, disable or uninstall the Elevio plugin to eliminate the attack vector.
  • Examine stored content for any injected scripts and remove them to mitigate any payloads that may already exist.

Generated by OpenCVE AI on May 2, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2728 Cross-Site Request Forgery (CSRF) vulnerability in Elevio Elevio allows Stored XSS.This issue affects Elevio: from n/a through 4.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Elevio Elevio allows Stored XSS.This issue affects Elevio: from n/a through 4.4.1. Cross-Site Request Forgery (CSRF) vulnerability in Elevio by Dixa Elevio elevio allows Stored XSS.This issue affects Elevio: from n/a through <= 4.4.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Elevio Elevio allows Stored XSS.This issue affects Elevio: from n/a through 4.4.1.
Title WordPress Elevio plugin <= 4.4.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:35:13.352Z

Reserved: 2025-01-03T13:16:33.552Z

Link: CVE-2025-22328

cve-icon Vulnrichment

Updated: 2025-01-07T15:21:29.243Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:17.020

Modified: 2026-06-17T08:46:30.667

Link: CVE-2025-22328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)