Description
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-04-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via plugin widget
Action: Patch Now
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the Table of Contents widget of LA‑Studio Element Kit for Elementor plugin versions up to 1.4.9, caused by inadequate sanitization and escaping of attributes supplied by users. It allows contributors and higher‑privileged users to inject malicious JavaScript that will execute in the browsers of site visitors when the affected page is viewed. This flaw falls under CWE‑79.

Affected Systems

The affected system is the WordPress plugin LA‑Studio Element Kit for Elementor, available for the WordPress content management system. All releases from the initial plugin version through 1.4.9 are vulnerable. Site administrators who are running these versions on their WordPress installations must be aware of the risk.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate impact, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Attackers must possess at least contributor‑level access to inject the payload, after which unsuspecting site visitors will be exposed to client‑side script execution when they load the compromised page.

Generated by OpenCVE AI on April 22, 2026 at 01:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of LA‑Studio Element Kit for Elementor, which removes the vulnerable handling of the Table of Contents widget.
  • Disable or remove the Table of Contents widget from all pages until a patched version is installed.
  • Configure a content‑security‑policy header that restricts inline script execution to mitigate any residual cross‑site scripting risk.

Generated by OpenCVE AI on April 22, 2026 at 01:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11845 The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 18 Apr 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Apr 2025 09:30:00 +0000

Type Values Removed Values Added
Description The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title LA-Studio Element Kit for Elementor <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:40.872Z

Reserved: 2025-04-01T23:42:19.516Z

Link: CVE-2025-3106

cve-icon Vulnrichment

Updated: 2025-04-18T11:34:01.306Z

cve-icon NVD

Status : Deferred

Published: 2025-04-18T10:15:14.243

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')