CVE-2025-13692 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Unlimited Elements for Elementor (Premium) WordPress plugin, affecting all versions up to and including 2.0. The root cause is insufficient input sanitization and output escaping of SVG file uploads within forms created by the premium plugin. An unauthenticated attacker can exploit this by uploading a crafted SVG file containing malicious JavaScript code. This script is then stored and executed in the context of any user accessing the affected page, leading to potential session hijacking, data theft, or unauthorized actions. Notably, exploitation requires that a form with a file upload field be created using the premium plugin; however, once such a form exists, the vulnerability remains exploitable even if the premium plugin is deactivated or uninstalled, increasing the attack surface. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change due to the vulnerability impacting users beyond the initial attack surface. No patches or known exploits are currently reported, but the vulnerability's persistence post-deactivation poses a significant risk. The CWE-79 classification confirms the vulnerability is due to improper neutralization of input during web page generation, a common vector for XSS attacks in web applications.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web applications using the Unlimited Elements for Elementor plugin. Exploitation can lead to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of legitimate users. Since the attack does not require authentication or user interaction, it can be automated and scaled, potentially affecting a large number of visitors. The persistence of the vulnerability even after the premium plugin is deactivated increases the risk of unnoticed exploitation. Organizations with customer-facing WordPress sites, especially those handling sensitive user data or financial transactions, could suffer reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure.

1. Immediately audit all WordPress sites using Unlimited Elements for Elementor (Premium) to identify any forms with file upload fields, especially those accepting SVG files. 2. Remove or disable any such forms if not strictly necessary. 3. Implement strict file upload validation and sanitization, disallowing SVG uploads or using SVG sanitization libraries that remove scripts and malicious content. 4. Apply Content Security Policy (CSP) headers to restrict script execution sources and reduce impact of potential XSS. 5. Monitor web server and application logs for suspicious upload activity or anomalous requests targeting SVG files. 6. Educate site administrators on the risk and ensure they do not rely on deactivation or uninstallation of the premium plugin as a mitigation, since the vulnerability persists. 7. Follow vendor advisories for patches or updates and apply them promptly once available. 8. Consider using Web Application Firewalls (WAF) with rules to detect and block malicious SVG payloads and XSS attempts. 9. Regularly scan websites with automated vulnerability scanners to detect XSS and other injection flaws.