CVE-2025-24595 is a stored cross-site scripting (XSS) vulnerability found in the bPlugins All Embed – Elementor Addons plugin for WordPress, affecting all versions up to and including 1.1.3. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious JavaScript code to be injected and stored persistently within the affected website's content. When other users or administrators visit the compromised pages, the malicious scripts execute in their browsers within the context of the vulnerable site, potentially leading to session hijacking, credential theft, unauthorized actions, or malware distribution. This vulnerability does not require authentication or user interaction beyond visiting a malicious or compromised page, increasing its risk profile. The plugin is widely used in conjunction with the popular Elementor page builder, which powers a significant portion of WordPress sites globally. Although no public exploits have been reported yet, the vulnerability's nature and the plugin's popularity make it a prime target for attackers. The lack of a CVSS score indicates that the vulnerability is newly disclosed, but its characteristics align with typical high-risk stored XSS issues. The vulnerability was published on January 24, 2025, and no official patches or mitigation links are currently provided, emphasizing the need for immediate attention from site administrators and security teams.

The impact of CVE-2025-24595 is significant for organizations using the All Embed – Elementor Addons plugin. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the vulnerable website, compromising user sessions, stealing sensitive information such as cookies or credentials, and enabling further attacks like phishing or malware distribution. This can damage organizational reputation, lead to data breaches, and cause regulatory compliance issues, especially for sites handling personal or financial data. Since the vulnerability is stored XSS, the malicious payload persists on the site, increasing the likelihood of repeated exploitation and wider impact. The ease of exploitation without authentication or complex prerequisites broadens the attack surface. Organizations relying on WordPress sites with this plugin, including e-commerce, media, and corporate websites, face increased risk of compromise. Additionally, attackers could leverage this vulnerability as a foothold for more advanced attacks within the victim's network or user base.

To mitigate CVE-2025-24595, organizations should immediately update the All Embed – Elementor Addons plugin to a version that addresses this vulnerability once released by bPlugins. In the absence of an official patch, administrators should consider temporarily disabling or removing the plugin to eliminate the attack vector. Implementing a Web Application Firewall (WAF) with rules to detect and block common XSS payloads can provide interim protection. Site owners should also conduct thorough input validation and output encoding on all user-generated content, especially where the plugin processes embedded content. Regular security audits and scanning for malicious scripts on the website are recommended to detect any existing compromises. Educating users and administrators about the risks of XSS and monitoring logs for suspicious activity can further reduce risk. Finally, maintaining a robust backup and incident response plan will help recover quickly if exploitation occurs.