The Jeg Elementor Kit plugin for WordPress, widely used for building and customizing websites, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-2944. This vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. Specifically, the issue exists in the Video Button and Countdown Widgets of the plugin, where user-supplied attributes are not properly sanitized or escaped before being rendered on web pages. As a result, an attacker with authenticated contributor-level access or higher can inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 2.6.12. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts on confidentiality and integrity with no availability impact. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the common use of the plugin and the typical access levels granted to contributors in WordPress environments. The scope is considered changed (S:C) because the vulnerability can affect other users beyond the attacker. No official patches or updates have been linked yet, so mitigation relies on access control and input validation measures.

This vulnerability can lead to unauthorized script execution in the browsers of users visiting compromised pages, resulting in session hijacking, credential theft, defacement, or redirection to malicious sites. For organizations, this can cause reputational damage, loss of user trust, and potential data breaches. Since the attack requires contributor-level access, insider threats or compromised contributor accounts can be leveraged to exploit this vulnerability. The scope change means that the impact extends beyond the attacker to all users who view the infected content. Although availability is not affected, the confidentiality and integrity of user data and site content are at risk. Given WordPress's widespread use globally, especially among small to medium businesses and content creators, the vulnerability could be exploited to target a broad range of organizations. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

Organizations should immediately review and restrict contributor-level access to trusted users only, implementing the principle of least privilege. Until an official patch is released, administrators can disable or remove the vulnerable Video Button and Countdown Widgets from the Jeg Elementor Kit plugin. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injections targeting these widgets can provide interim protection. Regularly audit user-generated content for suspicious scripts and sanitize inputs at the application level where possible. Monitoring logs for unusual contributor activity can help detect attempts to exploit this vulnerability. Additionally, keeping WordPress core and all plugins up to date is critical; once a patch for this vulnerability is available, it should be applied promptly. Educate contributors about the risks of injecting untrusted content and enforce strict content review processes before publishing.