CVE-2025-14635 is a stored cross-site scripting vulnerability in the Happy Addons for Elementor WordPress plugin, affecting all versions up to 3.20.3. The vulnerability is due to improper neutralization of input in the 'ha_page_custom_js' parameter, allowing authenticated users with Contributor-level privileges or higher to inject malicious scripts into pages. These scripts execute in the context of any user viewing the page, potentially leading to session hijacking or other client-side attacks. The vulnerability bypasses role restrictions intended to limit custom JavaScript injection to Administrators. The CVSS 3.1 base score is 6.4 (medium severity), with network attack vector, low attack complexity, and privileges required at the contributor level. No patch or vendor advisory is currently available.

An attacker with Contributor-level access or higher can exploit this vulnerability to inject and store malicious JavaScript code within WordPress pages. This code executes in the browsers of users who visit the compromised pages, potentially leading to theft of user credentials, session tokens, or other malicious actions within the context of the affected site. The vulnerability does not affect availability but impacts confidentiality and integrity. Since the injection is stored, the attack can persist and affect multiple users over time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level user permissions carefully and monitor for suspicious activity related to custom JavaScript usage. Consider disabling or limiting the use of the 'ha_page_custom_js' parameter if possible. Avoid granting Contributor or higher privileges to untrusted users. Follow updates from thehappymonster for official patches or mitigations.