CVE-2025-3614 is a stored Cross-Site Scripting (XSS) vulnerability found in the ElementsKit Elementor Addons and Templates plugin for WordPress, developed by xpeedstudio. This vulnerability affects all versions up to and including 3.5.2. The root cause is insufficient input sanitization and output escaping of the URL attribute within a custom widget. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to Contributor role, no user interaction, and impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. Given the widespread use of WordPress and Elementor-based plugins in website development, this vulnerability poses a significant risk to websites relying on ElementsKit for enhanced Elementor functionality.

For European organizations, this vulnerability can lead to unauthorized script execution on their websites, compromising user data confidentiality and integrity. Attackers could steal session cookies, perform actions on behalf of users, or manipulate website content, damaging brand reputation and user trust. Organizations in sectors such as e-commerce, government, education, and media that rely heavily on WordPress for their web presence are particularly at risk. The stored nature of the XSS means the malicious payload persists and affects all visitors to the compromised page, increasing the attack surface. Additionally, GDPR compliance could be impacted if personal data is exposed or manipulated through such attacks, potentially leading to regulatory penalties. The requirement for Contributor-level access means insider threats or compromised accounts could be leveraged, emphasizing the need for strict access controls and monitoring.

European organizations should immediately audit their WordPress installations to identify the presence of the ElementsKit Elementor Addons and Templates plugin. Until an official patch is released, it is advisable to restrict Contributor-level access strictly to trusted users and review existing user roles for unnecessary privileges. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the URL attribute of the custom widget. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor website content for unauthorized changes or injected scripts. Organizations should also consider disabling or removing the vulnerable plugin if it is not essential. Once a patch becomes available, prioritize its deployment. Additionally, conduct security awareness training for content contributors to recognize and avoid unsafe input practices.