CVE-2025-24729 is a security vulnerability classified as stored cross-site scripting (XSS) affecting the ElementInvader Addons for Elementor plugin, versions up to and including 1.3.3. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and stored persistently within the affected website's content. When other users or administrators access the compromised pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. The flaw does not require authentication or user interaction beyond visiting the infected page, increasing its exploitation potential. The plugin is an add-on to Elementor, a widely used WordPress page builder, thus the vulnerability affects WordPress sites utilizing this specific plugin. No official patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved and published in January 2025 by Patchstack. The absence of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

The impact of CVE-2025-24729 is significant for organizations using the ElementInvader Addons for Elementor plugin on their WordPress sites. Successful exploitation allows attackers to inject persistent malicious scripts that execute in the browsers of site visitors and administrators. This can lead to theft of sensitive information such as authentication cookies, enabling session hijacking and unauthorized access. Attackers may also deface websites, degrade user trust, or use the compromised sites as vectors for malware distribution. The vulnerability undermines the confidentiality, integrity, and availability of affected web applications. Given the widespread use of WordPress and Elementor plugins globally, many organizations, including businesses, government agencies, and non-profits, could be exposed. The ease of exploitation without authentication or complex prerequisites increases the risk of automated or targeted attacks. The absence of known exploits currently provides a window for proactive mitigation before widespread abuse occurs.

To mitigate CVE-2025-24729, organizations should immediately verify if they use the ElementInvader Addons for Elementor plugin and identify the installed version. If the version is 1.3.3 or earlier, they should seek official patches or updates from the vendor as soon as they become available and apply them promptly. In the absence of an official patch, temporarily disabling or uninstalling the plugin can prevent exploitation. Web application firewalls (WAFs) should be configured to detect and block common XSS attack patterns targeting this plugin. Additionally, implementing strict Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Site administrators should audit user-generated content and inputs handled by the plugin for suspicious code and sanitize or remove any malicious entries. Regular backups and monitoring for unusual site behavior will aid in rapid recovery and detection. Educating site administrators about the risks of XSS and safe plugin management practices is also recommended.