CVE-2025-39361 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WProyal Royal Elementor Addons plugin for WordPress. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored and later executed in the context of users visiting the affected website. The affected versions include all versions up to 1.7.1017, with no specific earliest version identified. The vulnerability requires low attack complexity (AC:L), network attack vector (AV:N), and privileges (PR:L) with user interaction (UI:R) necessary to trigger the exploit. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire web application. The impact includes low confidentiality, integrity, and availability impacts (C:L/I:L/A:L), but given the nature of stored XSS, it can lead to session hijacking, defacement, or distribution of malware to site visitors. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 7, 2025, and has a CVSS v3.1 base score of 6.5, categorized as medium severity. Stored XSS vulnerabilities in WordPress plugins are particularly dangerous because they can affect a large number of websites, especially those using the popular Elementor page builder and its addons, potentially compromising site administrators and visitors alike.

For European organizations, especially those operating websites using WordPress with the Royal Elementor Addons plugin, this vulnerability poses a significant risk. Exploitation could lead to unauthorized script execution in the browsers of site administrators or visitors, resulting in session hijacking, credential theft, defacement, or distribution of malware. This can damage brand reputation, lead to data breaches involving personal data protected under GDPR, and cause operational disruptions. Organizations in sectors such as e-commerce, government, education, and media, which often rely on WordPress for content management, may face increased risk. Additionally, the cross-site scripting vulnerability could be leveraged as a foothold for further attacks within the network if administrative credentials are compromised. The medium severity score reflects the need for timely mitigation to prevent exploitation, especially since the scope of impact extends beyond the vulnerable component to the entire web application.

European organizations should immediately audit their WordPress installations to identify the presence of the Royal Elementor Addons plugin and verify its version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Disable or remove the Royal Elementor Addons plugin if it is not essential to reduce the attack surface. 2) Implement Web Application Firewall (WAF) rules specifically designed to detect and block common XSS payloads targeting this plugin. 3) Enforce strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected web pages. 4) Conduct thorough input validation and output encoding on any user-generated content managed through the plugin, if custom development is involved. 5) Monitor web server and application logs for unusual requests or script injections indicative of attempted exploitation. 6) Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. 7) Plan for rapid deployment of patches once they become available from the vendor or trusted security sources. These targeted actions go beyond generic advice by focusing on immediate risk reduction and detection tailored to the nature of stored XSS in this specific plugin.