CVE-2025-13196 identifies a stored cross-site scripting (XSS) vulnerability in the Element Pack Addons for Elementor plugin for WordPress, specifically within the Open Street Map widget's marker content parameter. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied data is not adequately sanitized or escaped before rendering. As a result, authenticated users with contributor-level privileges or higher can inject arbitrary JavaScript code into pages via the marker content parameter. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability affects all versions up to and including 8.3.4 of the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires privileges (contributor or higher), and user interaction (viewing the page). The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are low, while availability is not affected. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can compromise user confidentiality and data integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, or distribution of malware. While availability is not directly impacted, the trustworthiness and reputation of affected websites can be severely damaged. Organizations relying on the Element Pack Addons for Elementor plugin, especially those with multiple contributors or public-facing content, face increased risk of targeted attacks exploiting this vulnerability. The medium CVSS score reflects the need for timely remediation to prevent exploitation, particularly in environments where contributor access is common or where sensitive data is handled.

1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2. Administrators should monitor and audit content submitted via the Open Street Map widget's marker content parameter for suspicious or unexpected scripts. 3. Implement web application firewall (WAF) rules to detect and block common XSS payloads targeting this parameter. 4. Disable or remove the Open Street Map widget if it is not essential to reduce the attack surface. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6. Regularly update the Element Pack Addons for Elementor plugin once the vendor releases a patch addressing this vulnerability. 7. Educate content contributors about safe content practices and the risks of injecting untrusted code. 8. Employ security plugins that sanitize user inputs and outputs to provide an additional layer of defense.