CVE-2025-1458 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin "Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder" developed by bdthemes. This plugin provides additional widgets and templates for the popular Elementor page builder. The vulnerability exists in all versions up to and including 5.10.29 due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in several widgets such as Dual Button, Creative Button, and Image Stack. An authenticated attacker with Contributor-level privileges or higher can inject arbitrary malicious JavaScript code into pages via these vulnerable widgets. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The CVSS 3.1 base score is 6.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L), with no impact on availability (A:N). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability stems from CWE-79, which is a common web application security flaw related to improper input validation and output encoding during dynamic page generation.

For European organizations using WordPress websites enhanced with the Element Pack Addons for Elementor plugin, this vulnerability poses a significant risk. Attackers with contributor-level access—often content editors or similar roles—can inject malicious scripts that execute in the browsers of site visitors, including administrators and customers. This can lead to theft of authentication cookies, unauthorized actions on behalf of users, defacement, or distribution of malware. E-commerce sites using WooCommerce widgets are particularly at risk, as compromise could lead to theft of customer data or payment information. The scope of impact is broad because Elementor and its addons are widely used across Europe in sectors such as retail, media, education, and government. The vulnerability’s exploitation could undermine user trust, cause reputational damage, and lead to regulatory penalties under GDPR if personal data is compromised. The fact that exploitation requires authenticated access limits the attack surface somewhat but does not eliminate risk, especially in organizations with many contributors or weak internal access controls. The lack of user interaction needed for exploitation increases the risk of automated or stealthy attacks once credentials are obtained.

1. Immediate mitigation involves restricting Contributor-level access strictly to trusted users and reviewing existing user roles to minimize privilege creep. 2. Implement strict input validation and output encoding at the application level for all user-generated content, especially in widgets known to be vulnerable. 3. Monitor and audit content changes made by contributors for suspicious or unexpected script injections. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting these widgets. 5. Encourage the plugin vendor to release a security patch promptly; until then, consider disabling or removing the vulnerable widgets if feasible. 6. Educate content editors and contributors about the risks of injecting untrusted content and enforce secure content creation policies. 7. Regularly update WordPress core, plugins, and themes to the latest versions once patches become available. 8. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 9. Conduct periodic security assessments and penetration testing focusing on user input handling in WordPress environments.