Description
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The flaw allows an attacker with contributor‑level access in the ElementsKit Elementor Addons and Templates WordPress plugin to inject arbitrary scripts into the before/after labels of the image comparison widget. This stored cross‑site scripting can execute whenever victims view a page that contains the compromised widget, potentially allowing session hijacking, defacement, or the execution of further malicious code.

Affected Systems

WordPress sites that have the ElementsKit Lite plugin, version 3.5.2 or earlier, installed from the roxnor:ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor package. The vulnerability is present in all releases up to and including 3.5.2, affecting all users who can add or edit content with contributor‑level permissions.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is less than 1%, suggesting the likelihood of exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. However, because any contributor or higher role may inject the payload, the risk to sites with widespread or untrusted content authors remains significant. Exploitation requires authenticated access, but once the malicious script is stored it will run for all page visitors, making it a potent threat in environments where contributor privileges are widely granted.

Generated by OpenCVE AI on April 20, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ElementsKit Lite to version 3.5.3 or later where the input sanitization issue is fixed
  • Review and limit the use of contributor‑level roles, ensuring they are only granted to trusted users
  • If an update cannot be applied immediately, disable the image comparison widget on all sites or remove the before/after label fields from the widget configuration to eliminate the attack surface

Generated by OpenCVE AI on April 20, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18679 The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 10 Jul 2025 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Wpmet
Wpmet elementskit Elementor Addons
CPEs cpe:2.3:a:wpmet:elementskit_elementor_addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmet
Wpmet elementskit Elementor Addons

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ElementsKit Lite <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpmet Elementskit Elementor Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:11.357Z

Reserved: 2025-05-09T10:56:58.493Z

Link: CVE-2025-4479

cve-icon Vulnrichment

Updated: 2025-06-20T12:38:23.263Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-19T04:15:49.147

Modified: 2025-07-10T00:06:38.117

Link: CVE-2025-4479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses