Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section & Column Clickable For Elementor: from n/a through <= 2.4.
Published: 2025-12-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross-site scripting flaw that allows an attacker to inject and persist arbitrary JavaScript into the plugin’s output. The stored payload is not properly neutralized during page rendering, enabling an attacker to execute malicious code in the browser context of any user who views the compromised content.

Affected Systems

The flaw affects the Make Section & Column Clickable For Elementor plugin by Riyadh Ahmed, all releases up to and including version 2.4. Any WordPress site that has installed this plugin before version 2.4 is exposed.

Risk and Exploitability

The severity is graded as medium with a CVSS score of 5.9, and the EPSS score is less than 1 %, indicating a low likelihood of exploitation observed to date. Because the plugin stores the injected data, an attacker who can create or edit Elementor sections can permanently compromise the site. The vulnerability is not listed in the CISA KEV catalog, but it should still be addressed promptly.

Generated by OpenCVE AI on April 29, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.4 that contains the security fix.
  • If no update is available, uninstall or disable the plugin entirely to remove the vulnerable code path.
  • Scan all existing Elementor sections and columns for any suspicious or malicious code inserted via the plugin and remove or sanitize it.
  • Implement or strengthen a Content Security Policy that blocks inline scripts and disallows execution of untrusted JavaScript.

Generated by OpenCVE AI on April 29, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section &amp; Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section &amp; Column Clickable For Elementor: from n/a through <= 2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section & Column Clickable For Elementor: from n/a through <= 2.4.

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section &amp; Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section &amp; Column Clickable For Elementor: from n/a through <= 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section &amp; Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section &amp; Column Clickable For Elementor: from n/a through <= 2.4.
Title WordPress Make Section & Column Clickable For Elementor plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability WordPress Make Section & Column Clickable For Elementor plugin <= 2.4 - Cross Site Scripting (XSS) vulnerability

Fri, 30 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Riyadh Ahmed
Riyadh Ahmed make Section And Column Clickable For Elementor
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Riyadh Ahmed
Riyadh Ahmed make Section And Column Clickable For Elementor
Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section &amp; Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section &amp; Column Clickable For Elementor: from n/a through <= 2.3.
Title WordPress Make Section & Column Clickable For Elementor plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Elementor Elementor
Riyadh Ahmed Make Section And Column Clickable For Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:34:18.815Z

Reserved: 2025-10-24T14:25:50.121Z

Link: CVE-2025-63033

cve-icon Vulnrichment

Updated: 2025-12-10T17:11:04.155Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:08.767

Modified: 2026-04-28T19:35:10.120

Link: CVE-2025-63033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses