CVE-2025-14635 is a stored Cross-Site Scripting (XSS) vulnerability found in the Happy Addons for Elementor plugin for WordPress, affecting all versions up to and including 3.20.3. The vulnerability arises from improper neutralization of input during web page generation, specifically in the 'ha_page_custom_js' parameter, which lacks sufficient input sanitization and output escaping. This flaw allows authenticated attackers with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Normally, the ability to add Custom JS is restricted to Administrators, but this vulnerability bypasses that restriction, enabling lower-privileged users to embed malicious scripts. When any user accesses a page containing the injected script, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions on behalf of the user. The CVSS 3.1 base score is 6.4, reflecting a medium severity with an attack vector over the network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change affecting confidentiality and integrity. No public exploits are currently known. The vulnerability is significant because WordPress is widely used, and Elementor is a popular page builder plugin, making this a potentially impactful issue for many websites. The flaw’s exploitation could undermine trust in affected sites and lead to data leakage or defacement.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of their web assets. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected website, leading to session hijacking, theft of sensitive user data, or unauthorized actions performed with the privileges of other users. This could result in reputational damage, loss of customer trust, and potential regulatory consequences under GDPR if personal data is compromised. Since the attack requires authenticated access with Contributor-level permissions, organizations with lax user role management or open contributor registrations are at higher risk. The vulnerability does not impact availability directly but could be leveraged as part of a broader attack chain. European entities relying on WordPress sites with the Happy Addons plugin, especially those using Contributor roles for content creation, should be vigilant. The medium CVSS score reflects a balanced risk that should not be ignored given the widespread use of the affected plugin.

1. Immediately review and restrict user roles on WordPress sites using Happy Addons for Elementor, ensuring that only trusted users have Contributor-level or higher access. 2. Temporarily disable or remove the Happy Addons plugin if feasible until a patched version is released. 3. Monitor web pages for unexpected or suspicious JavaScript code injections, using web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'ha_page_custom_js' parameter. 4. Implement strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 5. Educate site administrators about the risks of granting contributor access and enforce strong authentication and monitoring of user activities. 6. Once the vendor releases a patch, apply it promptly and verify that the vulnerability is resolved. 7. Conduct regular security audits and vulnerability scans focusing on plugin versions and input sanitization weaknesses. 8. Consider using security plugins that can detect and alert on suspicious changes to page content or scripts.