CVE-2025-12537 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Addon Elements for Elementor plugin for WordPress, formerly known as Elementor Addon Elements. This vulnerability affects all versions up to and including 1.14.3. The root cause is insufficient input sanitization and output escaping on multiple widget parameters within the plugin. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into widget parameters on pages they can edit. Because the malicious script is stored persistently, it executes whenever any user accesses the compromised page, potentially affecting site visitors and administrators. The vulnerability does not require user interaction beyond visiting the page, and the attacker does not need higher privileges than Contributor, which is a relatively low-level role in WordPress. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, and privileges required at the contributor level. The impact includes limited confidentiality and integrity loss, with no direct availability impact. No public exploits have been reported yet, but the vulnerability poses a risk for session hijacking, defacement, or unauthorized actions via injected scripts. The plugin is widely used in WordPress environments, which are popular globally, increasing the potential attack surface. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

This vulnerability enables authenticated contributors to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. The potential impacts include theft of session cookies, enabling account takeover; defacement of website content; redirection to malicious sites; and execution of unauthorized actions on behalf of users with elevated privileges. Because the vulnerability affects a widely used WordPress plugin, the attack surface is large, potentially impacting thousands of websites globally. Organizations relying on this plugin risk reputational damage, loss of user trust, and potential data breaches. The medium CVSS score reflects that while the attack requires some privileges, the ease of exploitation and the persistent nature of the XSS increase risk. The scope is broad as any user visiting the infected page can be affected, including administrators. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, especially given the public disclosure. This vulnerability could be leveraged in targeted attacks against organizations using this plugin, especially those with Contributor-level users who may be less trusted or more easily compromised.

1. Immediately restrict Contributor-level user capabilities by reviewing and limiting who can create or edit content using the vulnerable plugin's widgets. 2. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads, particularly targeting the affected widget parameters. 3. Monitor website content for unexpected script injections or unauthorized changes, using file integrity monitoring and content scanning tools. 4. Disable or remove the Addon Elements for Elementor plugin if not essential, or replace it with a more secure alternative until a patch is available. 5. Educate content contributors on safe content creation practices and the risks of injecting untrusted input. 6. Keep WordPress core and all plugins updated, and subscribe to vendor security advisories to apply patches promptly once released. 7. Consider implementing Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS. 8. Conduct regular security audits and penetration testing focusing on user-generated content areas to detect similar vulnerabilities early.