CVE-2025-2330: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themesgrove All-in-One Addons for Elementor – WidgetKit
The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2025-2330 is a stored Cross-Site Scripting (XSS) vulnerability identified in the All-in-One Addons for Elementor – WidgetKit WordPress plugin developed by themesgrove. This vulnerability affects all versions up to and including 2.5.4. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'button+modal' widget. Specifically, authenticated users with contributor-level access or higher can inject arbitrary malicious JavaScript code into pages via this widget. Because the vulnerability is stored, the injected script persists in the website's content and executes whenever any user accesses the compromised page. The vulnerability does not require user interaction to trigger once the malicious payload is stored and viewed. The CVSS 3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges (contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change (affecting other components or users). There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. This vulnerability can be leveraged to steal session cookies, perform actions on behalf of other users, or deface websites, depending on the victim's privileges and the attacker's goals.
Potential Impact
For European organizations using WordPress sites with the affected WidgetKit plugin, this vulnerability poses a significant risk to website integrity and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data leakage, particularly impacting users with elevated privileges such as administrators. Confidentiality of user data can be compromised, and integrity of website content can be undermined, potentially damaging brand reputation and violating data protection regulations such as GDPR. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts are primary attack vectors. The scope change in the CVSS vector indicates that the vulnerability can affect other users beyond the initial attacker, increasing the risk of widespread impact. European organizations with public-facing WordPress sites that rely on this plugin for enhanced widget functionality are at risk of targeted attacks or automated exploitation once a public exploit emerges. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. The impact on availability is low, but the potential for persistent malicious code injection can lead to prolonged compromise and remediation challenges.
Mitigation Recommendations
1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially in pages using the 'button+modal' widget, to detect and remove suspicious scripts. 3. Disable or remove the All-in-One Addons for Elementor – WidgetKit plugin if it is not essential, or replace it with a secure alternative. 4. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this plugin. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 6. Regularly update the plugin once a patch is released by the vendor, and subscribe to security advisories from themesgrove and WordPress security channels. 7. Conduct security awareness training for contributors to recognize and avoid introducing malicious content. 8. Use security plugins that scan for stored XSS and other vulnerabilities in WordPress environments. These measures, combined, reduce the attack surface and mitigate exploitation risks beyond generic patching advice.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-2330: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themesgrove All-in-One Addons for Elementor – WidgetKit
Description
The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2025-2330 is a stored Cross-Site Scripting (XSS) vulnerability identified in the All-in-One Addons for Elementor – WidgetKit WordPress plugin developed by themesgrove. This vulnerability affects all versions up to and including 2.5.4. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'button+modal' widget. Specifically, authenticated users with contributor-level access or higher can inject arbitrary malicious JavaScript code into pages via this widget. Because the vulnerability is stored, the injected script persists in the website's content and executes whenever any user accesses the compromised page. The vulnerability does not require user interaction to trigger once the malicious payload is stored and viewed. The CVSS 3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges (contributor or above), no user interaction, and impacting confidentiality and integrity with a scope change (affecting other components or users). There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. This vulnerability can be leveraged to steal session cookies, perform actions on behalf of other users, or deface websites, depending on the victim's privileges and the attacker's goals.
Potential Impact
For European organizations using WordPress sites with the affected WidgetKit plugin, this vulnerability poses a significant risk to website integrity and user trust. Stored XSS can lead to session hijacking, unauthorized actions, and data leakage, particularly impacting users with elevated privileges such as administrators. Confidentiality of user data can be compromised, and integrity of website content can be undermined, potentially damaging brand reputation and violating data protection regulations such as GDPR. Since the vulnerability requires contributor-level access, insider threats or compromised contributor accounts are primary attack vectors. The scope change in the CVSS vector indicates that the vulnerability can affect other users beyond the initial attacker, increasing the risk of widespread impact. European organizations with public-facing WordPress sites that rely on this plugin for enhanced widget functionality are at risk of targeted attacks or automated exploitation once a public exploit emerges. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. The impact on availability is low, but the potential for persistent malicious code injection can lead to prolonged compromise and remediation challenges.
Mitigation Recommendations
1. Immediate mitigation involves restricting contributor-level access to trusted users only, minimizing the risk of malicious input injection. 2. Monitor and audit user-generated content, especially in pages using the 'button+modal' widget, to detect and remove suspicious scripts. 3. Disable or remove the All-in-One Addons for Elementor – WidgetKit plugin if it is not essential, or replace it with a secure alternative. 4. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting this plugin. 5. Apply strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on the website. 6. Regularly update the plugin once a patch is released by the vendor, and subscribe to security advisories from themesgrove and WordPress security channels. 7. Conduct security awareness training for contributors to recognize and avoid introducing malicious content. 8. Use security plugins that scan for stored XSS and other vulnerabilities in WordPress environments. These measures, combined, reduce the attack surface and mitigate exploitation risks beyond generic patching advice.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-03-14T21:21:22.902Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6864fe536f40f0eb72923f14
Added to database: 7/2/2025, 9:39:31 AM
Last enriched: 7/2/2025, 9:54:47 AM
Last updated: 7/3/2025, 5:53:17 AM
Views: 7
Related Threats
CVE-2025-5944: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bdthemes Element Pack Elementor Addons and Templates
MediumCVE-2025-49713: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in Microsoft Microsoft Edge (Chromium-based)
HighCVE-2025-43025: CWE-121: Stack-based Buffer Overflow in HP Inc. Universal Print Driver
MediumCVE-2025-34092: CWE-287 Improper Authentication in Google Chrome
CriticalCVE-2025-34091: CWE-203 Observable Discrepancy in Google Chrome
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.