CVE-2025-1455 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Royal Elementor Addons and Templates plugin for WordPress, specifically affecting the Woo Grid widget in all versions up to and including 1.7.1012. This vulnerability arises from improper input sanitization and insufficient output escaping, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary malicious scripts into web pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or further exploitation of the victim's browser environment. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges at the Contributor level, with no user interaction needed for exploitation. The vulnerability impacts confidentiality and integrity but not availability, and the scope is changed as the vulnerability affects resources beyond the attacker’s control. No known exploits are currently reported in the wild, and no official patches have been released yet. The plugin is widely used in WordPress sites that employ Elementor page builder enhancements, making this a relevant threat for websites relying on this plugin for content presentation and layout customization.

For European organizations, this vulnerability poses a significant risk especially for those relying on WordPress sites with the Royal Elementor Addons and Templates plugin installed. Exploitation could lead to unauthorized script execution, enabling attackers to steal session cookies, perform phishing attacks, or execute malicious actions on behalf of legitimate users. This could result in data breaches involving personal data protected under GDPR, reputational damage, and potential regulatory penalties. Since the vulnerability requires Contributor-level access, it could be exploited by malicious insiders or compromised user accounts, increasing the risk in environments with multiple content editors. The stored nature of the XSS means that once injected, the malicious payload persists and affects all visitors to the infected pages, amplifying the attack impact. European organizations with e-commerce, media, or governmental websites using this plugin are particularly at risk, as attackers could leverage the vulnerability to target high-value users or disrupt trust in digital services.

Immediate mitigation steps include auditing user roles and permissions to restrict Contributor-level access only to trusted personnel. Organizations should implement strict input validation and output encoding at the application level, especially for any user-generated content rendered by the Woo Grid widget. Web Application Firewalls (WAFs) can be configured with custom rules to detect and block typical XSS payloads targeting this plugin. Monitoring logs for unusual script injection patterns or unexpected content changes on pages using the affected widget is critical. Until an official patch is released, consider disabling or removing the Royal Elementor Addons and Templates plugin or replacing it with alternative, secure plugins. Additionally, organizations should educate content editors about the risks of uploading untrusted content and enforce multi-factor authentication to reduce the risk of account compromise. Regular vulnerability scanning and penetration testing focused on XSS vectors in WordPress environments will help identify and remediate similar issues proactively.