CVE-2025-13977 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress, affecting all versions up to and including 6.5.3. The vulnerability stems from improper neutralization of input during web page generation, specifically within the Event Calendar widget's handling of custom attributes and the Image Masking module's element ID rendering. These components fail to adequately sanitize user-supplied input and escape output, enabling authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently, they execute automatically whenever any user accesses the infected page, without requiring additional user interaction. This can lead to unauthorized actions such as session hijacking, credential theft, or defacement. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, and requiring privileges but no user interaction. No public exploits are currently known, but the widespread use of the plugin in WordPress sites globally elevates the risk. The vulnerability highlights the importance of robust input validation and output encoding in web applications, especially in popular CMS plugins that handle dynamic content rendering.

The impact of CVE-2025-13977 is significant for organizations using the Essential Addons for Elementor plugin, as it allows authenticated users with relatively low privileges (Contributor and above) to inject persistent malicious scripts into web pages. This can compromise the confidentiality and integrity of user sessions by enabling session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of users. The availability impact is minimal, but the reputational damage and potential data breaches can be severe. Since the vulnerability affects a widely used WordPress plugin, many websites globally are at risk, especially those that allow Contributor-level access to multiple users or third-party content creators. Attackers could leverage this vulnerability to conduct targeted attacks against site administrators or visitors, potentially leading to broader network compromise or phishing campaigns. The medium CVSS score reflects the need for timely remediation but indicates that exploitation requires some level of access, limiting the scope to sites with less restrictive user privilege management.

To mitigate CVE-2025-13977, organizations should immediately update the Essential Addons for Elementor plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads targeting the affected plugin components can provide interim protection. Additionally, site owners should audit existing content created by Contributors for suspicious scripts or injected code and remove any malicious entries. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly monitoring logs and user activity for unusual behavior related to content editing is also advised. Finally, educating content creators about safe input practices and the risks of injecting untrusted code can reduce accidental exploitation.