CVE-2025-3614 is a stored Cross-Site Scripting (XSS) vulnerability identified in the ElementsKit Elementor Addons and Templates plugin for WordPress, affecting all versions up to and including 3.5.2. The root cause is insufficient input sanitization and output escaping of the URL attribute within a custom widget, which allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users to malicious sites, or performing unauthorized actions on behalf of the victim. The vulnerability leverages CWE-79, a common web application security flaw related to improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the attacker’s privileges once exploited. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability is particularly concerning in WordPress environments where multiple users have content creation privileges, as it enables privilege escalation through script injection and persistent client-side attacks.

The primary impact of CVE-2025-3614 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with Contributor or higher privileges can inject persistent malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, credential theft, unauthorized actions, or defacement. This can undermine trust in the website, lead to data breaches, and facilitate further exploitation such as malware distribution or phishing. Since the vulnerability requires authenticated access, it primarily threatens multi-user WordPress installations with less restrictive user role assignments. The scope change in the CVSS vector indicates that the attack can affect resources beyond the attacker’s initial privileges, increasing the risk of privilege escalation and lateral movement within the site. Organizations relying on ElementsKit for site customization and content management may face reputational damage, regulatory consequences, and operational disruptions if exploited.

To mitigate CVE-2025-3614, organizations should immediately restrict Contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. Administrators should audit existing content for suspicious or unauthorized scripts, especially in custom widget URL attributes. Until an official patch is released, consider disabling or removing the ElementsKit Elementor Addons and Templates plugin if feasible. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns targeting the vulnerable widget. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and untrusted sources, reducing the impact of injected scripts. Regularly update WordPress core, plugins, and themes to incorporate security fixes once available. Additionally, monitor user activity logs for unusual behavior indicative of exploitation attempts. Educate content creators about secure input practices and the risks of injecting untrusted content. Finally, maintain regular backups to enable recovery in case of compromise.