CVE-2025-32135 identifies a stored cross-site scripting (XSS) vulnerability in the Split Test For Elementor plugin developed by rocketelements, affecting all versions up to and including 1.8.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored persistently on the affected website. When a victim visits a compromised page, the malicious script executes in their browser context, potentially enabling attackers to steal cookies, session tokens, or other sensitive information, perform actions on behalf of the user, or deliver malware. Stored XSS is particularly dangerous because the payload is saved on the server and served to multiple users, increasing the attack surface. The plugin is widely used in WordPress environments that utilize Elementor for A/B testing, making the vulnerability relevant to a large number of websites. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability is publicly disclosed and should be considered active. The lack of authentication requirement and user interaction beyond page visit increases the risk. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially plugins that dynamically generate content based on user input.

The impact of CVE-2025-32135 is significant for organizations using the Split Test For Elementor plugin. Successful exploitation can lead to theft of sensitive user data such as authentication cookies and personal information, enabling account takeover and unauthorized access. Attackers can also manipulate website content, deface pages, or redirect users to malicious sites, damaging brand reputation and user trust. Additionally, the vulnerability can be leveraged to distribute malware or conduct phishing attacks at scale due to the persistent nature of stored XSS. For e-commerce, financial, healthcare, and other sensitive sectors, this can result in regulatory penalties and financial losses. The broad use of Elementor and its plugins means many websites globally are exposed, increasing the potential for widespread exploitation. The absence of known exploits currently provides a window for mitigation, but the ease of exploitation and lack of authentication requirements mean the threat could escalate rapidly once weaponized.

To mitigate CVE-2025-32135, organizations should immediately monitor for updates or patches from rocketelements and apply them as soon as they become available. In the interim, implement strict input validation and output encoding on all user-supplied data processed by the Split Test For Elementor plugin. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Regularly audit and sanitize stored content within the plugin’s data stores to identify and remove malicious scripts. Limit plugin usage to trusted administrators and restrict permissions to reduce exposure. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attacks to detect and block malicious payloads. Educate site administrators and developers on secure coding practices and the risks associated with third-party plugins. Finally, maintain regular backups and incident response plans to quickly recover from any successful exploitation.