CVE-2025-13977 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress. The vulnerability exists due to insufficient sanitization of user input and inadequate output escaping in two specific components: the Event Calendar widget's handling of custom attributes and the Image Masking module's rendering of element IDs. These flaws allow authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability affects all versions up to and including 6.5.3. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and scope change due to impact on other users. No known public exploits have been reported yet. The vulnerability's impact is primarily on confidentiality and integrity, as attackers can steal sensitive data or manipulate site content but do not disrupt availability. The plugin is widely used in WordPress sites leveraging Elementor for page building, making this a significant risk for websites that allow multiple contributors. The lack of a patch at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of their WordPress-based websites, especially those using the Essential Addons for Elementor plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to credential theft, session hijacking, or unauthorized content manipulation. This can damage organizational reputation, lead to data breaches involving personal or business-critical information, and facilitate further attacks such as phishing or malware distribution. Since many European companies rely on WordPress for their digital presence, including e-commerce, government portals, and media sites, exploitation could disrupt trust and compliance with data protection regulations like GDPR. The vulnerability does not affect availability directly but can indirectly cause service disruptions if exploited to deface or compromise websites. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor roles are common in collaborative environments. Organizations with large editorial teams or external contributors are particularly vulnerable.

1. Immediately review and restrict user roles on affected WordPress sites, limiting Contributor-level access to trusted users only. 2. Implement strict input validation and output encoding for any custom attributes or element IDs in the Event Calendar and Image Masking features, if custom development is involved. 3. Monitor site content and logs for unusual script injections or modifications, using web application firewalls (WAF) with rules targeting XSS patterns. 4. Disable or remove the vulnerable widgets/modules temporarily if feasible until an official patch is released. 5. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 6. Keep WordPress core and all plugins updated; apply the official patch from wpdevteam as soon as it becomes available. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts. 8. Conduct regular security audits and penetration testing focusing on user input handling in collaborative plugins. 9. Backup website data frequently to enable quick recovery in case of compromise. 10. Coordinate with hosting providers to leverage additional security controls and monitoring.