CVE-2025-2330 is a stored cross-site scripting (XSS) vulnerability identified in the All-in-One Addons for Elementor – WidgetKit plugin for WordPress, specifically within the 'button+modal' widget. This vulnerability exists due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. The plugin fails to adequately sanitize and escape input attributes, enabling authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. These malicious scripts persist in the stored content and execute in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 2.5.4. The CVSS v3.1 base score is 6.4, reflecting a medium severity with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C). No public exploits have been reported yet. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow content creation or modification by multiple user roles. Given the widespread use of Elementor and its addons in WordPress sites, this vulnerability could be leveraged in targeted attacks against websites with contributor-level users, such as multi-author blogs or corporate sites with delegated content management.

The primary impact of CVE-2025-2330 is the potential for stored XSS attacks, which can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, and the spread of malware through injected scripts. Organizations running WordPress sites with the vulnerable plugin expose their users to these risks, especially if contributor-level users are present who can inject malicious content. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially compromised component, potentially impacting site integrity and user trust. While the vulnerability does not directly affect availability, the integrity and confidentiality of user data and sessions are at risk. Exploitation requires authenticated access, limiting the attack surface to environments where contributor or higher privileges are granted, but this is common in collaborative content management scenarios. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure. Organizations could face reputational damage, data breaches, and compliance issues if exploited.

1. Immediately audit user roles and permissions to restrict contributor-level access only to trusted users. 2. Monitor and review content submitted via the 'button+modal' widget for suspicious or unexpected scripts. 3. Apply patches or updates from the vendor as soon as they become available to address the vulnerability. 4. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block malicious script injections targeting the vulnerable widget parameters. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 6. Educate content contributors about safe content practices and the risks of embedding scripts. 7. Regularly scan the website for stored XSS payloads using automated tools or security plugins. 8. Consider temporarily disabling or replacing the vulnerable widget if patching is delayed. 9. Maintain backups and incident response plans to quickly restore affected sites if exploitation occurs.