Description
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the URL attribute of a custom widget in ElementsKit Elementor Addons and Templates. The vulnerability allows contributors and higher‑privileged users to inject arbitrary JavaScript that is persisted and executed whenever a page containing the injected widget is accessed. Because the injected code runs in the context of the site’s visitors, an attacker could steal session cookies, deface pages, or redirect users to malicious sites.

Affected Systems

The flaw affects the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for WordPress plugin, identified as roxnor:ElementsKit Elementor Addons. All versions up to and including 3.5.2 are vulnerable; later releases are not affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate‑to‑high impact, while the EPSS score of <1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Contributor privileges to inject the malicious code, requiring them to log in to the WordPress administrative interface and edit a page or template containing the custom widget. Once injected, the vulnerability turns into a site‑wide issue, executing in every visitor’s browser.

Generated by OpenCVE AI on April 22, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ElementsKit Elementor Addons plugin to the latest available version, which resolves the stored XSS flaw in the custom widget URL attribute.
  • If an immediate update is not possible, disable or remove custom widgets that allow arbitrary URLs, or restrict Contributor role permissions so they cannot edit these widgets.
  • Apply general WordPress security hardening: ensure that all user roles have the minimal permissions required and that plugin and core updates are applied promptly.

Generated by OpenCVE AI on April 22, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22550 The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 28 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpmet
Wpmet elementskit Elementor Addons
CPEs cpe:2.3:a:wpmet:elementskit_elementor_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmet
Wpmet elementskit Elementor Addons

Fri, 25 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 22:45:00 +0000

Type Values Removed Values Added
Description The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ElementsKit Elementor Addons and Templates <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpmet Elementskit Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:05.949Z

Reserved: 2025-04-14T21:19:40.931Z

Link: CVE-2025-3614

cve-icon Vulnrichment

Updated: 2025-07-25T13:31:23.767Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-24T23:15:26.453

Modified: 2025-07-28T15:07:38.667

Link: CVE-2025-3614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses