CVE-2025-1458 is a stored Cross-Site Scripting (XSS) vulnerability identified in the bdthemes Element Pack Addons for Elementor plugin, widely used to enhance WordPress websites with templates, blocks, widgets, and WooCommerce builder features. The vulnerability affects all versions up to and including 5.10.29. It stems from improper neutralization of input during web page generation (CWE-79), where several widgets such as Dual Button, Creative Button, and Image Stack fail to adequately sanitize user-supplied input or escape output. This flaw allows authenticated attackers with at least Contributor-level privileges to inject arbitrary JavaScript code into pages. When other users visit these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim’s session. The attack vector is remote over the network, with low attack complexity and no user interaction required beyond page access. The vulnerability impacts confidentiality and integrity but not availability. The CVSS v3.1 score of 6.4 reflects a medium severity, considering the need for authenticated access but the broad impact scope due to stored script execution. No public exploits have been reported yet, but the presence of this vulnerability in a popular WordPress plugin makes it a significant risk for websites using these addons. The lack of official patches at the time of disclosure necessitates immediate mitigation steps to reduce exposure.

The primary impact of CVE-2025-1458 is the compromise of confidentiality and integrity of affected WordPress websites using the vulnerable Element Pack Addons. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the browsers of site visitors, including administrators and other privileged users. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For e-commerce sites using WooCommerce widgets, this could result in theft of customer data or manipulation of transactions. The vulnerability does not directly affect availability but can severely damage organizational reputation and user trust. Given the widespread use of Elementor and its addons globally, numerous websites are at risk, especially those that allow contributor-level user registrations or have multiple editors. The medium CVSS score reflects the balance between required privileges and the potential for significant impact. Organizations failing to address this vulnerability may face targeted attacks or automated exploitation once public exploits emerge.

1. Immediately update the Element Pack Addons for Elementor plugin to a patched version once available from the vendor. Monitor bdthemes announcements for official fixes. 2. In the interim, restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. 3. Implement a Web Application Firewall (WAF) with custom rules to detect and block suspicious script injection patterns targeting the vulnerable widgets. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5. Regularly audit user-generated content in the affected widgets for suspicious or unexpected code. 6. Harden WordPress security by disabling unnecessary user roles or capabilities and enforcing strong authentication. 7. Monitor website logs and user activity for signs of exploitation or anomalous behavior. 8. Consider temporarily disabling the vulnerable widgets if patching is delayed and the risk is high. These steps provide layered defense until a vendor patch is applied.